A vulnerability has been discovered in the InfiniteWP Client plugin versions 18.104.22.168 or earlier. InfiniteWP Client is currently installed on over 300,000 WordPress sites.
The InfiniteWP Client plugin works by allowing a central management server to authenticate to the WordPress installation so that site owners can manage the site. From a central location, site owners can perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously. The InfiniteWP Client plugin authenticates the central management server to each WordPress installation.
This is a critical authentication bypass vulnerability so far, the WordPress security company have not seen evidence of this vulnerability being exploited in the wild, but they expect to see attempts in the near future. The proof of concept about critical authentication bypass vulnerability on InfiniteWP Client plugin was published on January 14, 2020.
How the InfiniteWP Client Plugin Critical Authentication Bypass Vulnerability happens
When a site is initially setup using InfiniteWP Client plugin, it needs to connect to the InfiniteWP server software. The InfiniteWP server sends a request to the InfiniteWP client and passes on a public key. The InfiniteWP server has the corresponding private key which is used to sign requests. Subsequent requests from the InfiniteWP server to the InfiniteWP client can be authenticated by the site by verifying the signature using the public key. The initial request from the InfiniteWP server uses one of two actions,
readd_site. By design, these actions are unauthenticated (since we don’t yet have a public key). Unfortunately, the code is structured so that some features can still be used. In this case, InfiniteWP client provides a feature to automatically login as an administrator without supplying a password.
When a site is initially connected to the InfiniteWP server, the request made by InfiniteWP server to the site actually exploits this vulnerability (unintentionally). This mades it quite difficult to write a WAF rule to protect against this vulnerability since legitimate and malicious requests can be identical.
WordFence thus recommends that if you are using InfiniteWP client version 22.214.171.124 or earlier you should immediately update your installation to protect your site.
Read more about this critical vulnerability on the InfiniteWP Client plugin and what you need to do to protect your sites on the Wordfence blog.
Before you go: Please subscribe to our website for the latest tips, ideas and recommendations to make your WordPress site wonderful.