• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory – High Severity – InfiniteWP Client WordPress plugin

December 2, 2014Marc-Alexandre Montpas

Security Risk: High

Exploitation Level: Easy/Remote

DREAD Score: 8/10

Vulnerability: Privilege escalation and potential Object Injection vulnerability.

Patched Version: 1.3.8

FacebookTwitterSubscribe

If you’re using the InfiniteWP WordPress Client plugin to manage your website, now is a good time to update. While doing a routine audit of our Website Firewall product, we discovered a vulnerability in the plugin that could be used by a malicious individual to 1) disable a users web site by putting it in maintenance mode and 2) allows the user to control the content of the maintenance page.

What are the risks?

Every website using InfiniteWP version below the 1.3.8 version is at risk. An attacker knowing the site’s administrator’s username could force your website to display malicious content. They can force your site to go into maintenance mode and any of the following could be injected:

  • Javascript or iframe malware.
  • Spam links
  • Defacement messages (the infamous “hacked by” type of attack)

Additionally, this security update also fixes a potential Object Injection vulnerability, although our proof of concept didn’t exploit that particular issue.

As always, if you use an affected version of this plugin, update as soon as possible!

Technical details

The InfineWP Client listens for commands through the php://input stream, which once decoded is used to perform administrative actions on the website. These commands are authenticated using the OpenSSL PHP libraries which block anyone trying to spoof requests to the client. However, in this specific case the plugin was allowing certain actions to be executed before the authentication method.

One of these commands allows an attacker to set the whole website on “maintenance mode” and set the maintenance message to whatever he wants. We will not disclose any more details for at least 30 days, but you can see how serious it is.

Upgrade as soon as possible!

This is a very dangerous vulnerability, upgrading your affected websites should be done immediately!

FacebookTwitterSubscribe

Categories: Security Advisory, Vulnerability Disclosure, WordPress SecurityTags: WordPress Plugins and Themes

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Comments

  1. Lucas Karpiuk

    December 2, 2014

    Thanks guys!

  2. Kailash

    December 3, 2014

    Thanks for the detail!

  3. Olaf Lederer

    December 4, 2014

    Sad to get this information from Sucuri first and never from the plugin author 🙁
    Thanks anyway!

    • David

      December 4, 2014

      We tweeted about it officially once we fixed the bug, way before sucuri wrote this post and we also made sure we explained the bug in detail in our change log instead of the usual security fix. I am sorry if we still made you feel we didn’t care enough. We will improve on that.

      • InfiniteWP User

        December 4, 2014

        Tweeted about it? Sorry, I must have missed the notification where you tagged me to bring my attention to such a serious vulnerability. I was considering a purchase of InfiniteWP’s plugins but will be weighing the decision with this incident in mind.

        • David

          December 4, 2014

          True we could have done better and we will improve this. Sorry

      • Olaf Lederer

        December 5, 2014

        At least to the users with an infinitewp.com account you could send out an email. There was also no warning inside the host application, which I use several times a day.

    • David

      December 5, 2014

      We have mailed all our users and also put a blog post regarding this http://infinitewp.com/blog/security-issues-patched/

  4. Howard Carson

    December 5, 2014

    All sites updated … no problem if we keep the IWP server and all client plugins up to date. Vulnerabilities exist; timely fixes when they’re discovered are appreciated. Thanks IWP for making my life easier, and thanks Sucuri for your excellent work!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.