E Security News on January 18, recently, according to foreign media reports, The two WordPress plug-ins InfiniteWP Client and WP Time Capsule The same authentication vulnerability occurs , This vulnerability can allow an attacker to access the back end of a website without a password. It is reported that this vulnerability was first discovered on January 7, 2020. The next day, developers released a new version of the plug-in in time. Then, WebArx publicly disclosed these errors on Tuesday this week.
It is understood that, Originally, the purpose of these two plug-ins was to allow users to authenticate multiple WordPress installations from a central server. According to WordFence, the plug-in allows the owner of the site to execute maintenance instructions, such as one click update and backup of core plug-ins and themes on all sites, and activation and deactivation of plug-ins and themes on multiple sites at the same time.
In this regard, WebArx researchers said that an attacker only needs to get the administrator username of the WordPress plug-in, and they can use this vulnerability to create a proof of concept and launch attacks. The WebArx research team said in its blog post overview on Wednesday that the systems of both plug-ins contain logic problems, allowing hackers to log in to administrator accounts without a password. This vulnerability is very dangerous. According to the statistics of WordPressd plug-in library, About 300000 websites are running vulnerable versions of InfiniteWP Client plug-in 。 At the same time, according to the statistics of the research team, The WP Time Capsule plug-in is also available on about 20000 websites.
InfiniteWP client error
According to WebArx, the version of InfiniteWP Client plug-in below 1.9.4.5 is particularly seriously affected by this leak. The method of proof of concept for this version is very simple. The vulnerability on the Common Vulnerability Scoring System (CVSS) is 9.8, or critical level.
For, The proof of concept attack first needs to use the JSON encoded payload, then Base64. Next, it will send its original information to the target site in the form of a POST request 。 For this vulnerability, the main problem lies in the function iwp_mmb_set_request in the init.php file. WebArx explained that this function can check whether the request_params variable of IWP_MMB_Core class is empty, and this variable will be filled only when the payload meets certain conditions. WebArx also said that for this vulnerability attack, the user name provided by the attacker will be used to log in as a user without performing any further authentication, and there is no problem without a password.
Some researchers said that in this case, the main condition for hacker attacks is that the iwp_action parameter of the load must be equal to readd_site or add_site, because They are the only operations without authorization check, and the lack of authorization check is the reason for this vulnerability 。
WP Time Capsule vulnerability
As for the vulnerability in WP Time Capsule , researchers say that versions earlier than 1.21.16 are vulnerable 。 For the WP Time Capsule plug-in, its payload can be said to be simpler, just including a string in the body of the original POST request. The researchers said that the problem is located in line 12 of wptc-cron-functions.php. The parse_request function calls the decode_sver_request_wptc function, which should check whether the original POST payload contains the string 'IWP_JSON_PREFIX'.
Therefore, the short version of the vulnerability should be "If the request contains this string, it will call wptc_login_as_admin, and it will obtain all available administrator accounts, and use the first account in the list, and you will log in as an administrator".
How to mitigate the impact of vulnerabilities
For the defense against vulnerability attacks, WebArx also said that when this vulnerability is involved, the firewall may give users a false sense of security. Because the authentication bypass vulnerability is usually a logic error in the code and does not actually involve a seemingly suspicious payload, it is difficult to find and determine the source of these problems. They added that because the payload is encoded, it may be difficult to distinguish it from a legitimate payload.
The researchers also said that due to the nature of the vulnerability, cloud based firewalls may not be able to affect malicious or legitimate traffic, so they may not be able to effectively defend against this vulnerability. So, To solve the problem, you need to update the software versions of the two plug-ins.
