InfiniteWP Client < 1.9.4.5 - Authentication Bypass



Description
As per agreement between the researcher and developer, details will be released on January 14th.
Proof of Concept
It is possible to login as any administrator on the site due to logical mistakes in the code.

The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This checks if the request_params array of the core class is not empty, which is only set in another function which is only populated when the payload meets certain conditions (in this scenario, the actions readd_site and add_site are the only actions that do not have an authorization check which is why this issue exists.) Once the payload meets these conditions, the username parameter that is supplied will be used to login the requester as that user without performing any further authentication.

Affects Plugin

fixed in version 1.9.4.5

References

CVE 2020-8772
Metasploit exploit/unix/webapp/wp_infinitewp_auth_bypass
URL https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
URL https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/
URL https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher WebARX
Submitter Dave
Submitter Website https://www.webarxsecurity.com
Submitter Twitter webarx_security
Views 133492
Verified No
WPVDB ID 10011

Timeline

Publicly Published 2020-01-14 (5 months ago)
Added 2020-01-08 (5 months ago)
Last Updated 2020-02-11 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin