Critical Wordpress Flaw Leave 300,000+ Websites Vulnerable for Takeover
Wordpress, the very popular online web hosting service, is known for its openness to vulnerability. As an open-source platform, there are plenty of third-party integrations that introduce risk to website owners if security is not properly vetted in their services. It has recently been released that two Wordpress plugins have a bug that allows hackers access to the backend without needing a password.
The vulnerable plugins, InfiniteWP Client and WP Time Capsule, collectively run on 320,000 websites currently. The bug that has been called to light is a type of authorization bypass bug - this means that an attacker is able to bypass the authentication process and only need the admin username for the plugin to be able to login to the back-end of a website. WebArx, a web application security agency, wrote a write up outlining the discovery of this flaw.
The vulnerabilities were first reported to the plugin developers on Jan 7, 2020, and an updated version is currently available. Additionally, because this bypass is so easy to do, meaning attackers need no password and just a username, it earned itself a CVSS rating of 9.8, a critical. CVSS, also known as the Common Vulnerability Scoring System, is a free and open industry standard for assessing the severity of computer system security vulnerabilities. This standard assigns a score, from 0 - 10 with 10 being the most severe, and allows security professionals to understand and prioritize resources to address the threat to their assets.
Websites running versions below 220.127.116.11 of the InfiniteWP Client plugin, and version 1.21.16 or below of WP Time Capsule, are susceptible to this attack and should update ASAP.