WordPress Plugin Vulnerabilities

InfiniteWP Client < 1.9.4.5 - Authentication Bypass

Description

As per agreement between the researcher and developer, details will be released on January 14th.

Proof of Concept

Affects Plugins

Plugin icon
iwp-client
Fixed in 1.9.4.5

References

CVE
CVE-2020-8772
URL
exploit/unix/webapp/wp_infinitewp_auth_bypass
URL
https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/
URL
https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulnerability-in-infinitewp-client-plugin/
URL
https://blog.sucuri.net/2020/01/authentication-bypass-vulnerability-in-infinitewp-client.html

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
WebARX
Submitter
Dave
Submitter website
https://www.webarxsecurity.com
Submitter twitter
webarx_security
Verified
No
WPVDB ID
fac62d36-0fa1-4b43-8f5c-bddbd0cff140

Timeline

Publicly Published
2020-01-14 (about 6 years ago)
Added
2020-01-08 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-05-17
Title
MStore API < 3.9.1 - Authentication Bypass
Published
2025-02-10
Title
WP Foodbakery <= 4.7 - Authentication Bypass
Published
2026-01-29
Title
Booked <= 3.0.0 - Authentication Bypass
Published
2021-07-19
Title
Profile Builder < 3.4.9 - Admin Access via Password Reset
Published
2023-04-14
Title
ZM Ajax Login & Register <= 2.0.2 - Unauthenticated Authentication Bypass