A pair of widely used WordPress plugins need to be patched on more than 320,000 websites to close down vulnerabilities that can be exploited to gain admin control of the web publishing software.
The team at WebArx, a security firm specializing in WordPress and other CRM and publishing platforms, took credit for discovering and reporting the flaws in WP Time Capsule and InfiniteWP. Both plugins were patched earlier this month by the developer, and updates should be applied.
In each case, WebArx says, the authentication bypass flaws were down to "logical issues" that, when targeted, gave an attacker admin access over the site without the need for a password.
In the case of InfiniteWP, a management tool with an estimated 300,000 users, the attacker would make a POST request with the payload written first in JSON and then encoded in Base64. If properly encoded, the request will be able to bypass the password requirement and log in the user with only the username.
For WP Time Capsule, a backup tool running on around 20,000 sites, the bypass would also be run as a POST function, but without the need for the payload to be encoded. Again, if a specific string is included in the request the code won't ask for authentication and allow admin access to the site.
In this case, patching the plug-ins is particularly important as attacks on the vulnerabilities would likely slip past firewalls.
Top websites screwed over in WordPress.com super-outage: VIP Go? More like VIP No GoREAD MORE
"Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from," WebArx explained.
"In this case, it’s hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate looking payload of both plugins."
WebArx noted that, to their credit, Revmakx, the developer of both plugins, was quick to respond and each was updated within a day of being reported.
Let this serve as a reminder to admins that WordPress and all of its plugins should be included in your regular update cycles. While patches for Windows, Acrobat, and other software get much of the press, WordPress is an extremely popular target for attackers looking to hijack sites and install things like cryptocoin miners or MageCart. ®