Security Risk: High
Exploitation Level: Easy/Remote
DREAD Score: 8/10
Vulnerability: Privilege escalation and potential Object Injection vulnerability.
Patched Version: 1.3.8
If you’re using the InfiniteWP WordPress Client plugin to manage your website, now is a good time to update. While doing a routine audit of our Website Firewall product, we discovered a vulnerability in the plugin that could be used by a malicious individual to 1) disable a users web site by putting it in maintenance mode and 2) allows the user to control the content of the maintenance page.
What are the risks?
Every website using InfiniteWP version below the 1.3.8 version is at risk. An attacker knowing the site’s administrator’s username could force your website to display malicious content. They can force your site to go into maintenance mode and any of the following could be injected:
- Spam links
- Defacement messages (the infamous “hacked by” type of attack)
Additionally, this security update also fixes a potential Object Injection vulnerability, although our proof of concept didn’t exploit that particular issue.
As always, if you use an affected version of this plugin, update as soon as possible!
The InfineWP Client listens for commands through the php://input stream, which once decoded is used to perform administrative actions on the website. These commands are authenticated using the OpenSSL PHP libraries which block anyone trying to spoof requests to the client. However, in this specific case the plugin was allowing certain actions to be executed before the authentication method.
One of these commands allows an attacker to set the whole website on “maintenance mode” and set the maintenance message to whatever he wants. We will not disclose any more details for at least 30 days, but you can see how serious it is.
Upgrade as soon as possible!
This is a very dangerous vulnerability, upgrading your affected websites should be done immediately!