[German]There is a critical vulnerability in the WordPress plugin InfiniteWP Client up to version 1.9.4.4 that allows bypassing authentication. In addition, security researchers have discovered a plugin that allows the mass implementation of user passwords on compromised WordPress installations.
Advertising
Vulnerability in the InfiniteWP client plugin
InfiniteWP is a powerful admin panel for all your WordPress sites. It allows users to manage an infinite number of installations of WordPress from a central, dedicated server. Essential features: Selbstgehostetes System:
- Self-hosted system: InfiniteWP runs on your own server and gives you full control
- Updates for WordPress, plugins and themes across multiple installations with just one click
- Fast backup and restore of the complete page or only the database
- Access the backend of all your WordPress installations with just one click
- Batch processing for plug-ins and themes: Activate and deactivate multiple plug-ins and themes on multiple pages simultaneously
- Installation of plugins and themes in several pages simultaneously
and many other features. The plugin has on more than 300,000 installations. Now a vulnerability has been discovered in the InfiniteWP Client plugin versions 1.9.4.4 or earlier.
This is a critical authentication bypass vulnerability. A proof of concept has already been published. So far, there is no evidence of exploitation in the Wild, but Wordfence security researchers are expecting exploits in the near future. More information about this critical vulnerability and advice on what to do to protect websites can be found on the Wordfence blog.
WordPress Mass Password-Changer
Security researchers from Sucuri have discovered a new password changer for WordPress, as I read in the following tweet.
Sucuri finds a new password-changer for WordPress that allows attackers to modify WordPress user passwords within a compromised environmenthttps://t.co/rQsGzOUdd1 pic.twitter.com/bdtiNDYhht
— Catalin Cimpanu (@campuscodi) January 16, 2020
Advertising
The tool allows attackers to change WordPress user passwords in a compromised environment. Sucuri has published details in this blog post.
