InfiniteWP Client Plugin Critical Authentication Bypass Vulnerability affecting 300,000+ WordPress sites!

A vulnerability has been discovered in the InfiniteWP Client plugin versions 1.9.4.4 or earlier. InfiniteWP Client is currently installed on over 300,000 WordPress sites.

The InfiniteWP Client plugin works by allowing a central management server to authenticate to the WordPress installation so that site owners can manage the site. From a central location, site owners can perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously. The InfiniteWP Client plugin authenticates the central management server to each WordPress installation.

Read our posts on WordPress Security here

This is a critical authentication bypass vulnerability  so far, the WordPress security company have not seen evidence of this vulnerability being exploited in the wild, but they expect to see attempts in the near future. The proof of concept  about critical authentication bypass vulnerability on InfiniteWP Client plugin was published on January 14, 2020.

How the InfiniteWP Client Plugin Critical Authentication Bypass Vulnerability happens

When a site is initially setup using InfiniteWP Client plugin, it needs to connect to the InfiniteWP server software. The InfiniteWP server sends a request to the InfiniteWP client and passes on a public key. The InfiniteWP server has the corresponding private key which is used to sign requests. Subsequent requests from the InfiniteWP server to the InfiniteWP client can be authenticated by the site by verifying the signature using the public key. The initial request from the InfiniteWP server uses one of two actions, add_site or readd_site. By design, these actions are unauthenticated (since we don’t yet have a public key). Unfortunately, the code is structured so that some features can still be used. In this case, InfiniteWP client provides a feature to automatically login as an administrator without supplying a password.

When a site is initially connected to the InfiniteWP server, the request made by InfiniteWP server to the site actually exploits this vulnerability (unintentionally). This mades it quite difficult to write a WAF rule to protect against this vulnerability since legitimate and malicious requests can be identical.

WordFence thus recommends that if you are using InfiniteWP client version 1.9.4.4 or earlier you should  immediately update your installation to protect your site.

Read more about this critical vulnerability on the InfiniteWP Client plugin and what you need to do to protect your sites on the Wordfence blog.

Before you go: Please subscribe to our website for the latest tips, ideas and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 152 other subscribers

%d bloggers like this: