Privilege escalation and potential Object Injection vulnerability. The vulnerability allows a remote user to cause a denial of service and data manipulation.
Danger level: average
The presence of fixes: Yes
The number of vulnerabilities: 1
CVSSv2 rating: (AV: N / AC: L / Au: N / C: N / I: P / A: P / E: U / RL: O / RC: C) = Base: 6.4 / Temporal: 4.7
Vector of operation: Remote
Impact: Denial of service, Unauthorized modification of data
Affected products: WordPress InfiniteWP Client 1.x
Affected versions: WordPress InfiniteWP Client version up to 1.3.8
Description:
The vulnerability is due to the fact that InfineWP Client receives commands via php: // input stream, used to perform administrative actions, and in some cases allows you to perform such actions bypassing the authentication mechanism. This can be exploited.
Note: Successful exploitation allows you to translate the site into maintenance mode and change the content of a page with an appropriate warning to the visitors, but requires knowledge login of the current user with administrative rights.
Solution: Install the latest version 1.3.8 from the manufacturer.
References:
http://blog.sucuri.net/2014/12/security-advisory-high-severity-infinitewp-client-wordpress-plugin.html
Manufacturer URL:
https://wordpress.org/plugins/iwp-client/
