Security News > 2020 > January > Critical WordPress Bug Leaves 320,000 Sites Open to Attack
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site's backend with no password.
All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.
According to the WordPress plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP Client plugin.
Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server.
That allows site owners to "Perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously," according to a WordFence description.
News URL
https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/
Related news
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)
- CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)
- CISA confirms critical Cleo bug exploitation in ransomware attacks (source)
- Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks (source)
- 390,000 WordPress accounts stolen from hackers in supply chain attack (source)
- Premium WPLMS WordPress plugins address seven critical flaws (source)
- CISA warns of critical Oracle, Mitel flaws exploited in attacks (source)
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)