Researchers Discover Critical Vulnerability In InfiniteWP Client And WP Time Capsule Plugins
Anybody can log in to WordPress as an administrator if the site is using vulnerable InfiniteWP Client and WP Time Capsule plugins, warned researchers from WebARX.
In a blog post, the researchers revealed its hard to block the vulnerability with general firewall rules “because the payload is encoded and a malicious payload would not look much different compared to a legitimate-looking payload of both plugins.”
Additionally, “because of the nature of the vulnerability, cloud-based firewalls might not be able to make a difference between malicious or legitimate traffic and therefore may fail to provide effective protection against this vulnerability.”
The developer of the plugins released patches for logical issues in the code that caused the vulnerability after being informed of the problem by WebARX.