cbcvebase.
CVE-2020-8772
published 2020-02-06

CVE-2020-8772: The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.87%
99.7th percentile
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in.

Affected

1 ranges
VendorProductVersion rangeFixed in
revmakxinfinitewp_client< 1.9.4.51.9.4.5

Detection & IOCsextracted from sources · hover to see the quote

pathinit.php
commandiwp_mmb_set_request
otherwp_infinitewp_auth_bypass (Metasploit module: exploits/unix/webapp/wp_infinitewp_auth_bypass.rb)
  • Enumerate WordPress author usernames via /author/ URL enumeration or the 'Author:' field in page source; these are used as the sole credential for authentication bypass
  • Monitor for unauthenticated POST requests targeting iwp_mmb_set_request in init.php of the InfiniteWP Client plugin
  • Post-exploitation: watch for unexpected overwrites of plugin PHP files (PLUGIN_FILE), followed by restoration — indicative of the Metasploit module's payload execution pattern
  • Author username harvesting via HTTP Location header redirect to /author/<username>/ is used as a precursor step to the auth bypass; alert on automated enumeration of this endpoint
  • ·The Metasploit module explicitly does not support WordPress >= 4.9 due to a breaking API change; exploitation is limited to WordPress <= 4.8.x
  • ·A valid administrator username is a hard prerequisite for exploitation; without it the bypass cannot be triggered
  • ·The vulnerability is patched in InfiniteWP Client plugin version 1.9.4.5 and later

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.