CVE-2020-8771
published 2020-02-06CVE-2020-8771: The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
46.45%
98.7th percentile
The Time Capsule plugin before 1.21.16 for WordPress has an authentication bypass. Any request containing IWP_JSON_PREFIX causes the client to be logged in as the first account on the list of administrator accounts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wptimecapsule | wp_time_capsule | < 1.21.16 | 1.21.16 |
Detection & IOCsextracted from sources · hover to see the quote
sigma
regex: wordpress_[a-z0-9]+=([A-Za-z0-9%]+) (part: header)
- →Any HTTP request body or parameter containing the string 'IWP_JSON_PREFIX' triggers authentication bypass, logging the requester in as the first administrator account. Monitor all inbound HTTP requests to WordPress installations for this string. ↗
- →A successful exploitation attempt will result in a WordPress session cookie being issued (matching pattern wordpress_[a-z0-9]+=...) in the response header. Monitor for unexpected admin session cookie issuance following requests containing IWP_JSON_PREFIX.
- →Successful exploitation produces an HTTP 200 response with Content-Type text/html and a WordPress Dashboard page body. Correlate IWP_JSON_PREFIX requests with 200 responses and 'Dashboard' in the body as a high-confidence exploitation indicator.
- ·The authentication bypass affects WordPress Time Capsule plugin versions before 1.21.16 only. Ensure detection rules are scoped to environments running vulnerable plugin versions. ↗
- ·The bypass grants access as the FIRST administrator account in the list, not an arbitrary account. Post-exploitation activity should be attributed to the top-listed admin account, which may cause confusion in audit logs. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Time Capsule < 1.21.16 - Authentication Bypass
nuclei·CVSS 9.8
CVE-2020-8771 [CRITICAL] WordPress Time Capsule < 1.21.16 - Authentication Bypass
WordPress Time Capsule '
- "Dashboard"
condition: and
- type: word
part: header
words:
- 'text/html'
- type: status
status:
- 200
extractors:
- type: regex
regex:
- "wordpress_[a-z0-9]+=([A-Za-z0-9%]+)"
part: header
# digest: 490a00463044022076f5be05b67a3e8e37b963c67fb4714759672c8f5fdc801dc5a472e1d616edc5022038464b4e3c346b0322b85bee79861a48c81236864610a6dac66d2858436a0d62:922c64590222798bb761d5b6d8e72950
2020-02-06
Published