WebARX: New flaws in WordPress plugins: WP Client and WP Time Capsule have bugs in the authentication logic, which allow the bypass of this and access as administrator without the need for valid credentials
New flaws in WordPress plugins: this time on WP Client and WP Time Capsule. WebARX cyber security researchers have discovered that they contain bugs in the authentication logic, allowing the bypass of this and access as an administrator without the need to know a pair of valid credentials. In the first case, as the Italian CERT-PA reminds, the authentication logic validates the username provided in the request by delegating any checks to the code that takes care of accepting the request. The latter normally blocks all unauthenticated requests but two of them (add_site and readd_site) can pass even without authentication. It then becomes possible to send an unauthenticated request and impersonate an arbitrary user. In the second, if the IWP_JSON_PREFIX string is present in the request payload, the code authenticates the user with the first available administrator account.
Just last month, cyber security researchers found another one on Ultimate Addons for Elementor and Beaver Builder, which was immediately exploited by cybercrime to launch attacks
WP Client and WP Time Capsule is just the latest vulnerability in WordPress plugins discovered by cyber security researchers. Last month, another one was found on Ultimate Addons for Elementor and Beaver Builder. This, however, unlike the last, has already been exploited by cybercrime to try to log into an existing account. In practice, the tmp.zip file was loaded to install a fake Seo statistics plugin, which then added a wp-xmlrpc.php backdoor in the root directory of the vulnerable site. After infection with multiple IP malware they tried to access the file. This is thanks to the fact that Addons has a feature that allows users to log in using a regular combination of username / password, Facebook and Google. But in authentication via social media, is not verified the tokens returned and, since the don’t require a password, it’s not checked.