Critical WordPress Bug Leaves 320,000 Sites Open to Attack
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site’s backend with no password.
All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.
“[Both] contain logical issues in the code that allows you to login into an administrator account without a password,” wrote WebArx in a blog post outlining the discovery on Wednesday.
According to the WordPress plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP Client plugin. The WP Time Capsule plugin is active on 20,000 websites, according to library tallies.
Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously,” according to a WordFence description.
The vulnerabilities were first reported on Jan. 7, 2020. The next day the developers released new versions of the plugins. On Tuesday, WebArx publicly disclosed the bugs.
The InfiniteWP Client Bug
Specifically impacted are versions of the InfiniteWP Client plugin below 22.214.171.124, WebArx said. The proof of concept is simple, earning the bug a Common Vulnerability Scoring System (CVSS) rating of 9.8, or critical.
The proof-of-concept attack first requires a payload encoded with JSON, then Base64. Next it is sent raw to the targeted site in a POST request.
“The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions,” WebArx explains.
“In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists,” researchers wrote.
Next, WebArx said, the username that is supplied by the attacker will be used to login as the user without performing any further authentication. No password, no problem.
WP Time Capsule Bug
As for WP Time Capsule, researchers identified versions below 1.21.16 as vulnerable.
As for the WP Time Capsule plugin, its payload can be simpler and only needs to contain a certain string in the body of the raw POST request, researcher said.
“The issue is located in wptc-cron-functions.php line 12 where it parses the request. The parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains the string ‘IWP_JSON_PREFIX’,” researchers wrote.
The short version of the exploit is; “If [the request] contains this string, it calls wptc_login_as_admin (which grabs all available administrator accounts and uses the first account in the list) and you’ll be logged in as an administrator.”
WebArx also warns that firewalls may give users a false sense of security when it comes to this vulnerability.
“Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from,” they said.
They added because the payload is encoded it might be hard to distinguish from a legitimate payload.
“Because of the nature of the vulnerability, cloud-based firewalls might not be able to make a difference between malicious or legitimate traffic and therefore may fail provide effective protection against this vulnerability,” they wrote.