Attackers need to know the administrator's username

Dec 4, 2014 15:10 GMT  ·  By
InfiniteWP allows organizing websites in groups for better administration
5 photos
   InfiniteWP allows organizing websites in groups for better administration

A vulnerability in the InfiniteWP client plug-in for WordPress would allow a potential attacker to put websites in maintenance mode and enable malicious actions to be executed before authentication.

Threat actors could leverage the flaw to inject JavaScript or malware delivered through iframe elements; other outcomes include posting spam links and defacement messages.

Sucuri, a company providing services for protecting website integrity, detected the vulnerability and said that all versions of the InfiniteWP client earlier than 1.3.8 could be abused this way.

Marc-Alexandre Montpas from Sucuri says that all an attacker needs to know is the username of the site administrator to carry out the nefarious activity.

Usually, administrative actions are validated using the OpenSSL PHP libraries and any attempt to spoof a legitimate request to the client is blocked. However, vulnerable versions of the plug-in permit certain commands to be executed without authentication.

Among the actions allowed is the one that can put the website into maintenance mode, with the possibility to define a custom message.

The company disclosed the flaw responsibly to the developers and said that, considering the severity of the issue, more details would become available in about 30 days.

InfiniteWP has been designed to offer users a simple way to manage multiple WordPress websites from a single administrative console. The product has more than 860,000 downloads at the moment and a new update that fixes the issues was released on Tuesday.

Vulnerability in InfiniteWP (5 Images)

InfiniteWP allows organizing websites in groups for better administration
InfiniteWP allows remote installation of plug-insPlug-in management console
+2more