A Vulnerability in WordPress InfiniteWP Client Plugin Could Allow for Authentication Bypass

ITS ADVISORY NUMBER: 
2020-008

DATE(S) ISSUED: 
Thursday, January 16, 2020

SUBJECT: 
A Vulnerability in WordPress InfiniteWP Client Plugin Could Allow for Authentication Bypass

OVERVIEW: 
A vulnerability has been discovered in the Revmakx InfiniteWP Client Plugin that could allow for authentication bypass. WordPress is a web-based publishing application implemented in PHP, and the Revmakx InfiniteWP Client Plugin allows website administrators to manage an unlimited number of WordPress sites from a centralized management server. Successful exploitation of this vulnerability could allow for authentication bypass with admin privileges.

SYSTEMS AFFECTED: 

  • Revmakx InfiniteWP Client Plugin prior to 1.9.4.5

RISK:

Government:
Large and medium government entities: High
Small government entities: Medium

Business:
Large and medium business entities: High
Small business entities: Medium

Home Users: Low

DESCRIPTION: 
A vulnerability has been discovered in the Revmakx InfiniteWP Client Plugin that could allow for authentication bypass. This vulnerability exists because the plugin fails to properly authenticate users accessing the iwp_mmb_set_request function in the init.php file. An unauthenticated attacker can exploit this issue by encoding the payload containing the admin username with JSON, then Base64 and sending it via POST request to the affected site. Successful exploitation of this vulnerability could allow for authentication bypass with admin privileges.

ACTIONS: 

  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • After appropriate testing, immediately apply updates provided by Revmakx manually to affected systems.
  • Apply the Principle of Least Privilege to all systems and services.  
  • Monitor intrusion detection systems for any signs of anomalous activity.  
  • Unless required, limit external network access to affected products.

REFERENCES: 

WordPress:

https://wordpress.org/plugins/iwp-client/

 

Bleeping Computer:

https://www.bleepingcomputer.com/news/security/critical-wordpress-plugin-bug-allows-admin-logins-without-password/