WordPress: Critical vulnerability in InfiniteWP client plugin

[German]There is a critical vulnerability in the WordPress plugin InfiniteWP Client up to version 1.9.4.4 that allows bypassing authentication. In addition, security researchers have discovered a plugin that allows the mass implementation of user passwords on compromised WordPress installations.


Advertising

Vulnerability in the InfiniteWP client plugin

InfiniteWP is a powerful admin panel for all your WordPress sites. It allows users to manage an infinite number of installations of WordPress from a central, dedicated server. Essential features: Selbstgehostetes System:

  • Self-hosted system: InfiniteWP runs on your own server and gives you full control
  • Updates for WordPress, plugins and themes across multiple installations with just one click
  • Fast backup and restore of the complete page or only the database
  • Access the backend of all your WordPress installations with just one click
  • Batch processing for plug-ins and themes: Activate and deactivate multiple plug-ins and themes on multiple pages simultaneously
  • Installation of plugins and themes in several pages simultaneously

and many other features. The plugin has on more than 300,000 installations. Now a vulnerability has been discovered in the InfiniteWP Client plugin versions 1.9.4.4 or earlier.

This is a critical authentication bypass vulnerability. A proof of concept has already been published. So far, there is no evidence of exploitation in the Wild, but Wordfence security researchers are expecting exploits in the near future. More information about this critical vulnerability and advice on what to do to protect websites can be found on the Wordfence blog

WordPress Mass Password-Changer

Security researchers from Sucuri have discovered a new password changer for WordPress, as I read in the following tweet.


Advertising

The tool allows attackers to change WordPress user passwords in a compromised environment. Sucuri has published details in this blog post.


Advertising

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).