Researchers have discovered authorization bypass bugs in three WordPress plugins, making a total of 400,000 WordPress websites vulnerable to cyber attacks. The affected plugins are InfiniteWP, WP Time Capsule and the WP Database Reset plugin.
InfiniteWP Client was hit the hardest by the authentication bypass bug. This plugin makes it possible for admins to manage multiple websites from a single server. So if the bug is misused, the hacker has immediate access to all those websites. With over 300,000 active installations, InfiniteWP Client also has the largest reach of all three plugins.
Do you use the InfiniteWP Client plugin and run version
220.127.116.11 or lower? Then you must update to version 18.104.22.168 as soon as possible.
WP Time Capsule
WP Time Capsule is a plugin that makes it easy to make backups of your website data. The free version of the plugin is active on more than 20,000 WordPress websites.
Do you use the WP Time Capsule plugin? Version
1.21.16 contains a patch, so it is best to update immediately if you are running an older version.
WP Database Reset
WP Database Reset makes it possible to reset the WordPress database with just a few clicks. The bug allows malicious users to remove all data from an affected website, including pages, blog posts, users and settings. A second vulnerability in this plugin ensures that every logged-in user (also with limited system rights) can obtain admin privileges and thus exclude all other users. WP Database Reset has more than 80,000 active installations.
To prevent the above problem, it is recommended to immediately update the plugin to version
3.15; this update contains patches for both bugs.
Want to know more about these authentication bypass bugs?
The good news is that there are as yet no reports of abuse of the vulnerabilities in these plugins. If you want to know more about the authentication bypass bugs, you can consult this blog post on Wordfence.com.