WordPress users are at serious risk thanks to a critical bug that is, at the time of this article’s writing, patched. According to research published by WebARX Security, the bug is specifically a critical auth bypass vulnerability that is found within the Infinite WP Client and also the WP Time Capsule plugins. What the bug allows for is, with merely the admin username and utilizing the proof-of-concept attack, a threat actor to access a WordPress site’s backend without a password. And this is not the first time a WordPress vulnerability has affected users of the popular web publishing and blogging platform.
In the case of the Infinite WP Client, WebARX Security explains in the following excerpt how the bug functions:
The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.
In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.
As for the WP Time Capsule plugin, WebArx also explains the bug in detail:
The issue is located in wptc-cron-functions.php line 12 where it parses the request. The parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains the string “IWP_JSON_PREFIX.”
If it contains this string, it calls wptc_login_as_admin (which grabs all available administrator accounts and uses the first account in the list) and you’ll be logged in as an administrator as shown below.
For WordPress users who think that firewalls can protect them from this vulnerability, researchers are adamant that this is not the case. The firewall in most cases will not be able to tell a malicious coded payload from a non-threatening one. As this is the case, it is vital that any admin of sites with the affected plugins install the newest version that has the vulnerability patched. Researchers at WebARX state that this flaw affects over 300,000 users, and as such, the consequences of letting this vulnerability go could be dire.