• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerability Detail

Authentication Bypass Vulnerability in InfiniteWP Client <= 1.9.4.4 

January 16, 2020Marc-Alexandre Montpas

Exploitation Level: Very Easy

DREAD Score: 9.4

Vulnerability: Authentication Bypass

Patched Version: 1.9.4.5

44
SHARES
FacebookTwitterSubscribe

An authentication bypass vulnerability affecting more than 300,000 InfiniteWP Client plugin users has recently been disclosed to the public. This plugin allows site owners to manage multiple websites from one central server using the InfiniteWP Server.

Due to the nature of this plugin, this is a serious vulnerability that should be patched as soon as possible to mitigate risk. InfiniteWP users can update their plugin with the latest version 1.9.4.5.

Am I Impacted?

A patch was released earlier this month to protect against this vulnerability. If you are using version 1.9.4.4 or earlier, you are at risk and can be impacted by an exploit.

This vulnerability allows an attacker to connect as any administrator present on the website. Successful attacks can lead to complete site takeover by bad actors.

Are Sucuri Customers Protected?

Yes. We have added a new rule in our firewall to virtually patch our customers from this vulnerability and mitigate risk from the encoded payload.

That being said, if you are already behind our firewall you may have to take an additional step to add a new site to your InfiniteWP Server instance. You’ll need to whitelist your InfiniteWP Server’s IP address in your WAF account settings to add any additional domains.

Technical Details

If an attacker knows the username of a site administrator and has identified that the website is using a vulnerable version of InfiniteWP Client, the authentication bypass is relatively straightforward.

Attackers encode the malicious payload with JSON and Base64, before sending it to a vulnerable site in a POST request. Once the request has been sent, the bad actor is logged in as the user without needing a password.

Missing Authorization Checks

Logical issues in the code are responsible for this vulnerability in InfiniteWP Client.

The function iwp_mmb_set_request — located in the init.php file — checks if the request_params variable is empty. This variable is only populated on the condition that the iwp_action parameter equals readd_site or add_site.

Since the readd_site and add_site actions don’t have proper authorization checks in place, the attacker is able to bypass the password requirement and use the supplied username parameter to login without further authentication.

You can find the change diff for the update from the WordPress.org plugin directory source, which shows the fix.

Conclusion

Logical vulnerabilities like the ones seen in this recent disclosure can result in severe issues for web applications and components. These flaws can be exploited to bypass authentication controls — and in this case, log in to an administrator account without a password.

This is a serious vulnerability. If you are using a vulnerable version of this plugin, updating it should be your highest priority. InfiniteWP users can patch their plugins with the latest version 1.9.4.5 to mitigate risk. Sucuri Firewall users are virtually patched from exploitation.

44
SHARES
FacebookTwitterSubscribe

Categories: Security Advisory, Vulnerability Disclosure, Website Security, WordPress SecurityTags: WordPress Plugins and Themes

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

How to Clean a Hacked Website Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.