Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass



Description
It is possible to login as an administrator on the site due to logical mistakes in the code.
Proof of Concept
The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains a certain string. If it does, it calls wptc_login_as_admin and you'll be logged in as an administrator.

Affects Plugin

fixed in version 1.21.16

References

CVE 2020-8771
URL https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
URL https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher WebARX
Submitter Dave
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 131068
Verified No
WPVDB ID 10010

Timeline

Publicly Published 2020-01-14 (5 months ago)
Added 2020-01-08 (5 months ago)
Last Updated 2020-02-20 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin