[German]There is a critical vulnerability in the WordPress plugin InfiniteWP Client up to version 22.214.171.124 that allows bypassing authentication. In addition, security researchers have discovered a plugin that allows the mass implementation of user passwords on compromised WordPress installations.
Vulnerability in the InfiniteWP client plugin
InfiniteWP is a powerful admin panel for all your WordPress sites. It allows users to manage an infinite number of installations of WordPress from a central, dedicated server. Essential features: Selbstgehostetes System:
- Self-hosted system: InfiniteWP runs on your own server and gives you full control
- Updates for WordPress, plugins and themes across multiple installations with just one click
- Fast backup and restore of the complete page or only the database
- Access the backend of all your WordPress installations with just one click
- Batch processing for plug-ins and themes: Activate and deactivate multiple plug-ins and themes on multiple pages simultaneously
- Installation of plugins and themes in several pages simultaneously
and many other features. The plugin has on more than 300,000 installations. Now a vulnerability has been discovered in the InfiniteWP Client plugin versions 126.96.36.199 or earlier.
This is a critical authentication bypass vulnerability. A proof of concept has already been published. So far, there is no evidence of exploitation in the Wild, but Wordfence security researchers are expecting exploits in the near future. More information about this critical vulnerability and advice on what to do to protect websites can be found on the Wordfence blog.
WordPress Mass Password-Changer
Security researchers from Sucuri have discovered a new password changer for WordPress, as I read in the following tweet.
— Catalin Cimpanu (@campuscodi) January 16, 2020
The tool allows attackers to change WordPress user passwords in a compromised environment. Sucuri has published details in this blog post.