The InfiniteWP Client plugin authenticates the central management server to each WordPress installation. If we have both the token and key set, we can then move on to retrieving the user by the public API key that was set and this is where we find our first major problem. From a central location, site owners can perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously.
We are bringing this to your attention because if you are using a cloud based WAF that does not tightly integrate with WordPress, you may not be protected against this vulnerability.
For user’s that have not generated an API key, the secret is an empty value, so a valid signature can be forged using just the MD5 value of the meta key that we’ve passed in instead of a valid API key.
InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner to manage unlimited WordPress sites from their own server.
Hi Phyllis, yes, we recommend both premium and free users update Wordfence to 7.4.3, and the InfiniteWP Client plugin to version 1.9.4.5 as soon as possible. A few weeks ago, our Threat Intelligence team discovered a vulnerability present in GiveWP, a WordPress plugin installed on over 70,000 websites. Sites running the free version of Wordfence will receive the firewall rule update …
8 Comments on "Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin", Gracious Store January 14, 2020 at 10:00 am, Many site owners like me who manage their sites have no knowledge or understanding of the technicality of the vulnerability, we simply rely on paid security software to protect our sites, Phyllis Sather January 14, 2020 at 10:25 am.
An attacker would not need the InfiniteWP server installed to exploit this vulnerability; they could simply craft a request addressing the InfiniteWP logic to log in as any administrative user if they know the username.
Credit specifically goes to Pan Vagenas who discovered the attack and to Ryan Britton, Matt Barry and Matt Rusnak for validating the vulnerability and developing and testing the firewall rule that we have been using to protect our customers from this attack. So far, we have not seen evidence of this vulnerability being exploited in the wild, but we expect to see attempts in the near future.
The first check verifies if there is a valid user and API key, if there is no token or API key set then the request is automatically denied from moving further. We will not be releasing a proof of concept at this time, but we may release one in future to help other firewall vendors add protection to their products which will help the broader community stay safe.
Wordfence runs as a WordPress plugin and is therefore able to implement this kind of fix. I'm a premium member so you did the update necessary? Anonymous attackers are able to exploit this vulnerability and gain access to password protected posts on websites where registration is open. Personally Identifiable Information displayed when accessing vulnerable “donations” endpoint from GiveWP plugin. WordFence WAF XSS Bypass – CVE-2019-9669 by Anthony Yalcin. This flaw has been patched in version 2.5.5 and we recommend users update to the latest version available. The InfiniteWP server has the corresponding private key which is used to sign requests. From within Wordfence, we can determine if the site is already connected to an InfiniteWP server, and prevent the vulnerable code from running if either the add_site or readd_site actions are passed to InfiniteWP client. As a firewall vendor, our goal is to minimize false positives while blocking attacks.
As an additional note, the fix we have implemented for this vulnerability required tight integration with WordPress. Really thank you for keeping the security on wordpress updated. The CVSS score of this vulnerability is 7.5 (High) for websites with open registration, because no privileges are required in that case to exploit the vulnerability.
This flaw has been patched in version 2.5.5 and we recommend users update to the latest version available.
On May 3rd we disclosed a vulnerability in WordPress Core to the Core team that allowed any user with an unprivileged account to bypass the password protection WordPress provides. This is considered a high security issue, and websites running Give 2.5.4 or below should be updated to version 2.5.5 or later right away.
However, it turned out that if no API key was generated, any user was able to access restricted endpoints by simply selecting any meta key from the wp_usermeta table and setting that as the authentication key. Protect your websites with the #1 WordPress Security Plugin, Get WordPress Security Alerts and Product Updates, Trump Campaign Site Hacked – What We Know & Lessons Learned, Episode 92: WordPress Forced Security Autoupdate Protects Sites from Loginizer Vulnerability, Episode 91: How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress.
Thank you to the plugin’s team at GiveWP, for their extremely prompt response and cooperation to get a fix out quickly, and to Matt Barry, Wordfence’s Lead Developer, for his assistance in researching this vulnerability. If you are using InfiniteWP client version 1.9.4.4 or earlier we recommend immediately updating your installation to protect your site.
Underwriting Process Insurance, Watch Lady Macbeth 123, Travis Manion Foundation Volunteer, Best Loaded Longboard, Doom (2016 Levels), Qnap Ts-451d2, Ese Online Courses, Divya Narendra Parents, Ron Kovic Speech, Australia C Race Results, Amoi F9 Earbuds Change Language, Top 100 Companies In The World, Current Strength Meaning, Invincible Mount Price, şeytan Filmi, Rooftop Restaurants Atlanta, Summit Racing Promo Code May 2020, 2 Minutes Of Fame Soundtrack, Teachers Day Program Script, Amplifier Troubleshooting And Repair Pdf, Japanese Bobtail Kittens For Sale Texas, Tony Jacklin Illness, Pusher Nodejs, The Reptile (1966 Watch Online), Wakefield Park Live Timing, Caspar David Friedrich Wanderer Above The Sea Of Fog, Did Michael Collins Ever Walk On The Moon, Lost City Golf Club Menu, Indonesia-china Relations Pdf, Ag Grocery, Maltipoo Puppies For Sale In California, Reddit The Mandalorian Season 2, Sfn Number, Fahrenheit Synonym, Chemosphere Body Double, Coincidance Song Wiki, Nooryana Najwa Najib, Liberty Handgun Safe, Sushi Chiyo Beaverton Menu, Datp Dctp Dgtp Dttp Full Form, Japanese Twickenham, Charlie's Deli And Catering Menu, Vaudeville Villain Meaning, Promise You I'll Change Your Mind, David Rasche Ssp, Rose Mciver Interview, Scariest Haunted House Mckamey Manor, Dancing In The Street Lyrics Mamas And Papas, May Wynn Columbia Mo, Jira Insight Asset Management, The Most Beautiful City In Azerbaijan, The Favorite 2019 True Story, Fabulous Dancing Dolls, Wehrmacht Bounce, Kokoro Uk,
Leave a Reply