Technology 2 min read

Vulnerabilities in WordPress Plugins Place 400,000 Sites At Risk

Evan Lorne / Shutterstock.com

Evan Lorne / Shutterstock.com

Researchers have discovered critical vulnerabilities in WordPress plugins that could affect about 400,000 websites. The three affected plugins include InfiniteWP Client, WP Time Capsule, as well as WP Database Reset.

No evidence suggests that attackers are actively exploiting the vulnerabilities in the three WordPress plugins. However, it would be wise to patch the flaws as soon as possible.

According to the security researchers, the two security flaws in the WP Database Reset are the least critical.

The first allows an unauthenticated person to reset any table in the database to its original WordPress state. And this could result in the site resetting to the default WP settings — or worse, a complete loss of data.

The second security flaw in WP Database Reset, on the other hand, causes the privilege-escalation vulnerability. That means any authenticated user will gain administrative rights and lock other users out.

Version 3.15 patches the two WP Database Reset plugin vulnerabilities. And experts advise that site administrators update to the new version.

The Other WordPress Plugins Vulnerabilities

Here’s a break down of the other security flaws.

WP Time Capsule

WP Time Capsule helps site administrators conveniently backup their websites, and the plugin runs on over 20,000 websites.

Now the critical flaw in the plugin could lead to an authentication bypass. Attackers can include a string in a POST request to obtain a list of all administrative accounts and log into the first one automatically.

Be that as it may, a recent version of the plugin, 1.21.16, can fix the vulnerability.

InfiniteWP Client

Over 300,000 websites are using InfiniteWP Client plugin, making it the highest-impact vulnerability.

Researchers found a security flaw that allows anyone with no credentials logs into an administrative account. In other words, people exploiting the vulnerability only need the username of a valid account.

From there, the attacker can choose to add new accounts, delete contents, and carry out a wide range of activities.

A researcher at Web security firm Sucuri, Marc-Alexandre Montpas, explained in a post:

“Logical vulnerabilities like the ones are seen in this recent disclosure can result in severe issues for Web applications and components. These flaws can be exploited to bypass authentication controls—and in this case, log in to an administrator account without a password.”

Site administrators that are using InfiniteWP Client version 1.9.4.4 or earlier should update to 1.9.4.5 immediately.

Read More: NSA Discovers Major Security flaw in Microsoft’s Windows 10

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Sumbo Bello know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.


Profile Image

Sumbo Bello

Sumbo Bello is a creative writer who enjoys creating data-driven content for news sites. In his spare time, he plays basketball and listens to Coldplay.

Comments (0)
Most Recent most recent
You
112
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.