The pair, used to manage multiple WordPress websites from one server and create backups for files and database entries when updates are issued, were examined by cybersecurity researchers from WebArx who found “logical issues in the code that allows you to login into an administrator account without a password.”
InfiniteWP is active on over 300,000 websites and WP Time Capsule is active on at least 20,000 domains, according to the WordPress plugins library.
On Tuesday, the team said the logical issues impacting InfiniteWP versions below 18.104.22.168 means that it is possible to use a POST request payload with JSON and Base64 encoding to bypass password requirements and log in by knowing only the username of an administrator.
In WP Time Capsule versions below 1.21.16, an issue in a functions line can be exploited by adding a crafted string in a raw POST request to call a function that grabs all available administrator accounts and log in as the first admin on the list.
WebArx reported the vulnerabilities to the developer of both plugins on 7 January, who responded quickly and pushed out a software update only a day later.
In order to resolve these issues, the developer tweaked action codes, removed several function calls and added payload authenticity checks.
TechRepublic: What to do if you’re still running Windows 7
It is important for webmasters to apply these patches, WebArx says, as it can be “hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins.”
“The developer was very fast to react and released the patches on the very next day after our initial report,” the team added. “It’s always great to see developers who are taking action quickly and letting their customers know about the issues to help people update to a more secure version as soon as possible.”