WordPress Plugin Vulnerabilities

Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass

Description

It is possible to login as an administrator on the site due to logical mistakes in the code.

Proof of Concept

The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains a certain string. If it does, it calls wptc_login_as_admin and you'll be logged in as an administrator.

Affects Plugins

Plugin icon
wp-time-capsule
Fixed in 1.21.16

References

CVE
CVE-2020-8771
URL
https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
URL
https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
WebARX
Submitter
Dave
Submitter website
https://www.webarxsecurity.com
Submitter twitter
webarx_security
Verified
No
WPVDB ID
c549cf1f-58d1-42c9-97db-c1d0e4bc505b

Timeline

Publicly Published
2020-01-14 (about 4 years ago)
Added
2020-01-08 (about 4 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2020-04-08
Title
Klarna Checkout for WooCommerce < 2.0.10 - Authenticated Arbitrary Plugin Deactivation, Activation and Installation
Published
2021-12-14
Title
All In One SEO < 4.1.5.3 - Authenticated Privilege Escalation
Published
2014-08-01
Title
WordPress 3.7.1 & 3.8 - Cleartext Admin Credentials Disclosure
Published
2022-11-04
Title
Jeg Elementor Kit < 2.5.7 - Subscriber+ Authorization Bypass
Published
2014-08-01
Title
WordPress 2.9 - Failure to Restrict URL Access