In three popular plugins for web content management systems WordPress, with more than 400 thousand installations, :
- in the plugin , which has more than 300 thousand active installations, allows you to connect without authenticating as a site administrator. Since the plugin is designed to unify the management of several sites on a server, an attacker can gain control of all sites served using the InfiniteWP Client at once. To attack, it is enough to know the login of a user with administrator rights, and then send a specially designed POST request ( parameter “add_site” or “readd_site”), you can enter the management interface with the rights of this user. The vulnerability is caused by an error in the implementation of the automatic login function.
Problem in the release of InfiniteWP Client 1.9.4.5. - in the plugin , which is used on approximately 80 websites. The first vulnerability allows for the contents of any database tables to be reset to their initial state (returning them to a fresh installation) without authentication. WordPress, deleting site-related data). The issue is caused by a lack of permissions checking when performing the reset function.
The second vulnerability in WP Database Reset requires authenticated access (an account with minimal subscriber rights is sufficient) and allows you to gain site administrator privileges (you can delete all users from the wp_users table, after which the current remaining user will be treated as an administrator). Issues resolved in release 3.15.
- in the plugin , which has more than 20 thousand installations, allows you to connect with administrator rights without authentication. To carry out an attack, it is enough to add the line IWP_JSON_PREFIX to the POST request, and if present, the wptc_login_as_admin function is called without any checks. Problem in release 1.21.16.
Source: opennet.ru
