Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass



Description
As per agreement between the researcher and developer, details will be released on January 14th.
Proof of Concept
It is possible to login as an administrator on the site due to logical mistakes in the code.

The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains a certain string. If it does, it calls wptc_login_as_admin and you'll be logged in as an administrator.

Affects Plugin

fixed in version 1.21.16

References

URL https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
URL https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher WebARX
Submitter Dave
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 41020
Verified No
WPVDB ID 10010

Timeline

Publicly Published 2020-01-14 (9 days ago)
Added 2020-01-08 (14 days ago)
Last Updated 2020-01-16 (6 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin