Exploitation Level: Very Easy
DREAD Score: 9.4
Vulnerability: Authentication Bypass
Patched Version: 1.9.4.5
An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to manage multiple websites from one central server using the InfiniteWP Server.
Due to the nature of this plugin, this is a serious vulnerability that should be patched as soon as possible to mitigate risk. InfiniteWP users can update their plugin with the latest version 1.9.4.5.
Am I Impacted?
A patch was released earlier this month to protect against this vulnerability. If you are using version 1.9.4.4 or earlier, you are at risk and can be impacted by an exploit.
This vulnerability allows an attacker to connect as any administrator present on the website. Successful attacks can lead to complete site takeover by bad actors.
Are Sucuri Customers Protected?
Yes. We have added a new rule in our firewall to virtually patch our customers from this vulnerability and mitigate risk from the encoded payload.
That being said, if you are already behind our firewall you may have to take an additional step to add a new site to your InfiniteWP Server instance. You’ll need to whitelist your InfiniteWP Server’s IP address in your WAF account settings to add any additional domains.
Technical Details
If an attacker knows the username of a site administrator and has identified that the website is using a vulnerable version of InfiniteWP Client, the authentication bypass is relatively straightforward.
Attackers encode the malicious payload with JSON and Base64, before sending it to a vulnerable site in a POST request. Once the request has been sent, the bad actor is logged in as the user without needing a password.
Missing Authorization Checks
Logical issues in the code are responsible for this vulnerability in InfiniteWP Client.
The function iwp_mmb_set_request — located in the init.php file — checks if the request_params variable is empty. This variable is only populated on the condition that the iwp_action parameter equals readd_site or add_site.
Since the readd_site and add_site actions don’t have proper authorization checks in place, the attacker is able to bypass the password requirement and use the supplied username parameter to login without further authentication.
You can find the change diff for the update from the WordPress.org plugin directory source, which shows the fix.
Conclusion
Logical vulnerabilities like the ones seen in this recent disclosure can result in severe issues for web applications and components. These flaws can be exploited to bypass authentication controls — and in this case, log in to an administrator account without a password.
This is a serious vulnerability. If you are using a vulnerable version of this plugin, updating it should be your highest priority. InfiniteWP users can patch their plugins with the latest version 1.9.4.5 to mitigate risk. Sucuri Firewall users are virtually patched from exploitation.