Search the Community
Showing results for tags 'wordpress'.
Found 1 result
Two WordPress plugins, InfiniteWP Client and WP Time Capsule have been found to suffer from a critical authorization bypass bug that allows people to access a site’s backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in. Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server. That allows site owners to “perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously". This was reported on January 7th and on January 8th a new release for InfiniteWP Client and WP Time Capsule was released. WebArx publicly disclosed the bugs on January 14th. Based on the WordPress plugin library, the InfiniteWP Client plugin is active on 300,000+ websites. The InfiniteWP site claims they have 513,520 sites active. Link to WPScan Vulnerability Database: https://wpvulndb.com/vulnerabilities/10011