cbcvebase.
CVE-2020-8771
published 2020-02-06

CVE-2020-8771: The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.45%
98.7th percentile
The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts.

Affected

1 ranges
VendorProductVersion rangeFixed in
wptimecapsulewp_time_capsule< 1.21.161.21.16

Detection & IOCsextracted from sources · hover to see the quote

otherIWP_JSON_PREFIX
sigma
regex: wordpress_[a-z0-9]+=([A-Za-z0-9%]+) (part: header)
  • Any HTTP request body or parameter containing the string 'IWP_JSON_PREFIX' triggers authentication bypass, logging the requester in as the first administrator account. Monitor all inbound HTTP requests to WordPress installations for this string.
  • A successful exploitation attempt will result in a WordPress session cookie being issued (matching pattern wordpress_[a-z0-9]+=...) in the response header. Monitor for unexpected admin session cookie issuance following requests containing IWP_JSON_PREFIX.
  • Successful exploitation produces an HTTP 200 response with Content-Type text/html and a WordPress Dashboard page body. Correlate IWP_JSON_PREFIX requests with 200 responses and 'Dashboard' in the body as a high-confidence exploitation indicator.
  • ·The authentication bypass affects WordPress Time Capsule plugin versions before 1.21.16 only. Ensure detection rules are scoped to environments running vulnerable plugin versions.
  • ·The bypass grants access as the FIRST administrator account in the list, not an arbitrary account. Post-exploitation activity should be attributed to the top-listed admin account, which may cause confusion in audit logs.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.