Scroll Top

Authentication bypass bugs in 3 plugins make 400,000 websites vulnerable

January 23, 2020

Researchers have discovered authorization bypass bugs in three WordPress plugins, making a total of 400,000 WordPress websites vulnerable to cyber attacks. The affected plugins are InfiniteWP, WP Time Capsule and the WP Database Reset plugin.

InfiniteWP Client

InfiniteWP Client was hit the hardest by the authentication bypass bug. This plugin makes it possible for admins to manage multiple websites from a single server. So if the bug is misused, the hacker has immediate access to all those websites. With over 300,000 active installations, InfiniteWP Client also has the largest reach of all three plugins.

Do you use the InfiniteWP Client plugin and run version 1.9.4.4 or lower? Then you must update to version 1.9.4.5 as soon as possible.

 

WP Time Capsule

WP Time Capsule is a plugin that makes it easy to make backups of your website data. The free version of the plugin is active on more than 20,000 WordPress websites.

Do you use the WP Time Capsule plugin? Version 1.21.16 contains a patch, so it is best to update immediately if you are running an older version.

 

WP Database Reset

WP Database Reset makes it possible to reset the WordPress database with just a few clicks. The bug allows malicious users to remove all data from an affected website, including pages, blog posts, users and settings. A second vulnerability in this plugin ensures that every logged-in user (also with limited system rights) can obtain admin privileges and thus exclude all other users. WP Database Reset has more than 80,000 active installations.

To prevent the above problem, it is recommended to immediately update the plugin to version 3.15; this update contains patches for both bugs.

 

Want to know more about these authentication bypass bugs?

The good news is that there are as yet no reports of abuse of the vulnerabilities in these plugins. If you want to know more about the authentication bypass bugs, you can consult this blog post on Wordfence.com.

Related Posts

Rich Reviews plugin for WordPress vulnerability actively abused

The Rich Reviews plugin was removed from the WordPress.org directory on March 11, 2019. This was done due to a security issue. It appears that there is still active abuse of the XSS vulnerability found in the plugin. Wordfence estimates that the plugin has around 16,000 active installations. These…

09 Oct 2019
Drupal security vulnerabilities discovered SA-CORE-2017-003

  Multiple vulnerabilities for the Drupal CMS have been discovered. Drupal have released versions 8.3.4 and 7.56 which contain fixes for these security vulnerabilities. We recommend that you update Drupal as soon as possible.

24 Jun 2017
Three vulnerabilities in LearnPress discovered

Three vulnerabilities in LearnPress prior to version 3.1.0 have been discovered. LearnPress is a popular plugin with more than 50.000 installations for the WordPress CMS that can be used to create and sell courses online. LearnPress is similar to Moodle, an open source learning platform.

13 Jan 2019
WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

15 Sep 2015
vulnerability uncovered in aapanel hosting control panel

aaPanel is a free and Open source Hosting Control Panel for RHEL and Debian based systems. It is the Internationalized version for the BAOTA panel(www.bt.cn), developed in China. It allows users to manage their web server through a web-based GUI (Graphical User Interface).

28 Jun 2020
Bash / Shellshock Patches May Not be Enough to Protect Systems

Simply patching systems against the Bash/Shellshock vulnerability may not be adequate. Attacks exploiting the flaw appeared within a day of its disclosure. Those attacks may have made changes to systems that would not be remedied by the application of a patch.

18 Oct 2014
WordPress plugin Spambyebye vulnerable

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…

24 Jan 2019
Vulnerability Patched in Ad Inserter Plugin for WordPress

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.

17 Jul 2019
Bash Security Update(s) Issued

We have been made aware of a serious security vulnerability in Bash that affects multiple operating systems and applications.

25 Sep 2014
Another vulnerability found in WP Live Chat Support plugin

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code…

24 May 2019
cPanel TSR-2017-0003 Security Update

An update for cPanel was just released to address various security vulnerabilities. These updates provide targeted changes to address security concerns with cPanel and WHM. We recommend that you update as soon as possible.

16 May 2017
OpenSSL announce versions 1.0.2d and 1.0.1p

The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as “high” severity. This defect does not affect the 1.0.0 or 0.9.8 releases.

08 Jul 2015
Malware campaign targeting 11 WordPress plugins

Serious vulnerabilities in at least 11 plugins for WordPress are currently being used in an ongoing malware campaign that appears to have started last month. However, the group appears to have changed their tactics two weeks ago. Mikey Veenstra reported on the WordFence website.

14 Sep 2019
New VMware bug exploited to breach networks

A vulnerability that VMware patched recently in some of its products, is currently being exploited and Russian threat actors are leveraging this vulnerability to install malware on corporate systems and access protected data, the National Security Agency (NSA) warned on Monday.

08 Dec 2020
Joomla 3.7.1 Security and bugfix release

Joomla! 3.7.1 is now available. This is a security release for the 3.x series of Joomla! which addresses one critical security vulnerability and several bug fixes. The security issue was found to be the result of inadequate filtering of requested data that lead to a SQL Injection vulnerability. We…

17 May 2017
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy