Security News > 2020 > January > Critical WordPress Bug Leaves 320,000 Sites Open to Attack
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site's backend with no password.
All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.
According to the WordPress plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP Client plugin.
Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server.
That allows site owners to "Perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously," according to a WordFence description.
News URL
https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/
Related news
- Critical Flaws in Tank Gauge Systems Expose Gas Stations to Remote Attacks (source)
- Researchers Warn of Ongoing Attacks Exploiting Critical Zimbra Postjournal Flaw (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
- FortiManager critical vulnerability under active attack (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Critical bug in EoL D-Link NAS devices now exploited in attacks (source)