Security News > 2020 > January > Critical WordPress Bug Leaves 320,000 Sites Open to Attack
Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site's backend with no password.
All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.
According to the WordPress plugin library, 300,000 websites are running a version of the vulnerable InfiniteWP Client plugin.
Both plugins are designed to allow users to authenticate to multiple WordPress installations from one central server.
That allows site owners to "Perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously," according to a WordFence description.
News URL
https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/
Related news
- Critical Security Flaw in WhatsUp Gold Under Active Attack - Patch Now (source)
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- CISA Warns of Critical Jenkins Vulnerability Exploited in Ransomware Attacks (source)
- Litespeed Cache bug exposes millions of WordPress sites to takeover attacks (source)
- Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access (source)
- Critical Flaws in Traccar GPS System Expose Users to Remote Attacks (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Ransomware attacks escalate as critical sectors struggle to keep up (source)
- Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks (source)
- LiteSpeed Cache bug exposes 6 million WordPress sites to takeover attacks (source)