The plugins are used to manage multiple WordPress installations from one server and create backups for files and database entries. The plugins were examined by cybersecurity researcher from WebArx. The researchers found logical issues in the code that allows users to log in to administrator account without a password.
InfiniteWP has over 300,000 installations while WP Time Capsule is installed on at least 20,000 domains. The team said that the logical issues impact InfiniteWP v22.214.171.124 and below. The logical issues indicate that it is possible to use a POST request payload with JSON and Base64 encoding, which makes it possible to bypass the password requirement and log in with only the username of an administrator.
WP Time Capsule of versions below 1.21.16 is affected with an issue in a function line that can be exploited by adding a new string in a raw POST request. The request calls a function that grabs all available administrator accounts and logs in as the first admin.
WebArx researchers have reported the vulnerabilities to respective developers of the plugins on January 7. The plugins were promptly updated with a fix. The developer had to tweak action codes and remove several function calls to resolve the issue. The researchers said, “It can be hard to block this vulnerability with general firewall rules because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins. The developer was very fast to react and released the patches on the very next day after our initial report.”