In three popular plugins for the WordPress web content management system, with more than 400 thousand installations, :
- in the plugin , which has more than 300 thousand active installations, allows you to connect without authenticating as a site administrator. Since the plugin is designed to unify the management of several sites on a server, an attacker can gain control of all sites served using the InfiniteWP Client at once. To attack, it is enough to know the login of a user with administrator rights, and then send a specially designed POST request ( parameter βadd_siteβ or βreadd_siteβ), you can enter the management interface with the rights of this user. The vulnerability is caused by an error in the implementation of the automatic login function.
Problem in the release of InfiniteWP Client 1.9.4.5. - in the plugin , which is used on approximately 80 thousand sites. The first vulnerability allows you to reset the contents of any tables in the database to the initial state without passing authentication (resulting in the state of a fresh WordPress installation, deleting data associated with the site). The problem is caused by a missing permission check when executing the reset function.
The second vulnerability in WP Database Reset requires authenticated access (an account with minimal subscriber rights is sufficient) and allows you to gain site administrator privileges (you can delete all users from the wp_users table, after which the current remaining user will be treated as an administrator). Issues resolved in release 3.15.
- in the plugin , which has more than 20 thousand installations, allows you to connect with administrator rights without authentication. To carry out an attack, it is enough to add the line IWP_JSON_PREFIX to the POST request, and if present, the wptc_login_as_admin function is called without any checks. Problem in release 1.21.16.
Source: opennet.ru