Plugin vulnerability finders tell WordPress users to update asap

The three plugins in the spotlight were InfiniteWP, WP Time Capsule, and WP Database Reset plugins.

ZDNet was one of the tech watching sites to prod readers to action: "If you use these plugins you should update immediately as firewall l protection will not work."

HotHardware's Brittany Goetting offered some more grim numbers. There are over 50,000 plugins to go round and not all are created equal, she wrote.

Out of the three in the spotlight, one may as well begin with the authentication bypass vulnerability in the InfiniteWP Client. Naked Security described it as a tool that allows admins to manage multiple WordPress sites from the same interface.

Administrators overseeing sites use InfiniteWP Client.

At least 300,000 of sites could have been affected by the vulnerability, Goetting said.

The plugin, it was found, lacked certain authorization checks. "You are vulnerable if you are using InfiniteWP Client versions up to, and as a result users of the plugin should update their sites to version as soon as possible," she wrote.

The Wordfence blog (Wordfence is product of a company called Defiant) said this was a critical authentication vulnerability. "A proof of concept was published this morning, January 14, 2020. If you are using InfiniteWP client version or earlier we recommend immediately updating your installation to protect your site."

Dan Goodin in Ars Technica also described the seriousness of the authentication bypass vulnerability in InfiniteWP Client plugin.

"It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks."

Security company WebARX reported InfiniteWP Client, and another vulnerability, WP Time Capsule.

The WP Time Capsule was designed to make backing up website data easier.

Ars Technica reported that the bug had been fixed in version 1.21.16. "Sites running earlier versions should update right away. Web security firm WebARX has more details." said Ars.

ZDNet talked about WP Time Capsule; Charlie Osborne in ZDNet said that WP Time Capsule was active on at least 20,000 domains, according to the WordPress plugins library.

The WP Database Reset plugin received much attention, with nearly 80,000 sites using the plugin, which helps users to reset their databases or parts of databases to their default settings.

Wordfence: "On January 7th, our threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request."

The plugin did not initially include the proper security checks. "One vulnerability allowed attackers to reset any table and cause a loss of data availability," wrote Goetting. "Another vulnerability enabled any subscriber to take full control of the website and kick out all administrators. Both flaws have thankfully been fixed with version 3.15. Of course the security researchers also encourage users to always back up their sites."

Sergiu Gartlan for BleepingComputer paid attention to that finding too. "Critical bugs found in the WordPress Database Reset plugin ...allow attackers to drop all users and get automatically elevated to an administrator role and to reset any table in the database."

The Wordfence blog issued this advice, seeing that these were considered critical security issues that could cause complete site reset and/or takeover. "We highly recommend updating to the latest version (3.15) immediately."

What did Ars Technica conclude about the three plugins, InfiniteWP, WP Time Capsule, and WP Database Reset? They had few words and these came easily: "It's time to patch."

Readers' comments in Ars were attempting to pinpoint the source of the problems. "The problem," said one reader, "is when site admins install 10,000 plugins, each of which becomes a new vector for attack."

Where did users hear that before? Computer Business Review, back in June, declared that "WordPress Plugins are widely regarded to be one of the single greatest security threats to WordPress users."

Website search

Recently updated

360 Total Security 360 Total Security A feature-packed software solution that provides users with a powerful antivirus, a junk cleaner and a system booster within the same interface
T3 Commandline Scanner T3 Commandline Scanner Check your computer for malware and eliminate it on sight using this virus removal tool wrapped in a command-line interface, which requires the IKARUS virus definitions
Quick Heal Total Security Quick Heal Total Security Complete PC security against malware, featuring email, Internet and network protection, parental control, removable drive scans, system optimization and maintenance, and more

Software News

Feb 20
Parents concerned with their children's TikTok obsession can perk up with the app's new feature that lets them have more control over how many videos is too many.
Feb 14
At a time when cyberbullying and unhealthy messaging are running rampant online, social networking sites are grappling with how to address it.
Feb 14
It's being called nasty-oh, the reinfection of it all- and sneaky for good reason: It's all of that, known to headache-watchers as xHelper, which turns out to be of no help at all once infected. The malware xHelper was ...
Feb 13
A storyline with emotionally evocative details can reduce virtual reality cybersickness for some people, according to a new study.
Feb 13
In recent years, there has been a growing interest in using internet and mobile technology to increase access to the voting process. At the same time, computer security experts caution that paper ballots are the only secure ...
Feb 7
If you resort to deleting apps when your phone's storage space is full, researchers have a solution.
Feb 6
A flaw that gave out root privileges gets patched. It is a utility that, said Dan Goodin in Ars Technica, can be found in "dozens of Unix-like operating systems."

About us

Welcome to new crack resource! Our service can generate cracks, keygens and serials for your software to unlock it. CrackDownloadz provides a lot of popular cracks and keygens. No spyware and adware at all, just download new cracks, keygens and serials. If you have a software that needs a crack feel free to contact us.

Also you may contact us if you have software that needs to be removed from our website.