Cybersecurity threats 2014: Security Bypass in WordPress InfiniteWP Client

Posted: December 5, 2014 in Vulnerabilities
Tags: , , ,

Wordpress VulnerabilitiesPrivilege escalation and potential Object Injection vulnerability. The vulnerability allows a remote user to cause a denial of service and data manipulation.

Danger level: average
The presence of fixes: Yes
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: L / Au: N / C: N / I: P / A: P / E: U / RL: O / RC: C) = Base: 6.4 / Temporal: 4.7

Vector of operation: Remote
Impact: Denial of service, Unauthorized modification of data

Affected products: WordPress InfiniteWP Client 1.x
Affected versions: WordPress InfiniteWP Client version up to 1.3.8

InfiniteWP Client

Description:

The vulnerability is due to the fact that InfineWP Client receives commands via php: // input stream, used to perform administrative actions, and in some cases allows you to perform such actions bypassing the authentication mechanism. This can be exploited.

Note: Successful exploitation allows you to translate the site into maintenance mode and change the content of a page with an appropriate warning to the visitors, but requires knowledge login of the current user with administrative rights.

Solution: Install the latest version 1.3.8 from the manufacturer.

References:
http://blog.sucuri.net/2014/12/security-advisory-high-severity-infinitewp-client-wordpress-plugin.html


wordpress.orgManufacturer URL:
https://wordpress.org/plugins/iwp-client/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s