On January 16, the webmaster's home (ChinaZ. com) reported: According to zdnet, two plug-ins of WordPress, InfiniteWP Client and WP Time Capsule, were exposed to serious security vulnerabilities, and it is estimated that 320000 websites are vulnerable to attacks.
These two plug-ins are used to manage multiple WordPress websites on one server, and create backups for files and database entries when publishing updates. WebArx's network security researchers found that there was a logic problem in the code, allowing others to log in to the administrator account without a password.
According to WordPress plug-in library data, InfiniteWP is active in more than 300000 websites, while WP Time Capsule is active in at least 20000 websites.
On Tuesday, the research team said that it would affect InfiniteWP 1.9.4 5. The logic problem in versions below means that the POST request payload encoded with JSON and Base64 can bypass the password request, and only need to know the administrator's user name to log in.
At 1.21 In the WP Time Capsule version below 16, the problem in the function line can call a function by adding a well-designed string to the original POST request. The function obtains all available administrator accounts and logs in as the first administrator in the list.
On January 7, WebArx reported these vulnerabilities to the developers of these two plug-ins, who responded quickly and released software updates a day later. Webarx recommends website administrators to install updates as soon as possible to avoid attacks, because firewall protection will not work
