CVE-2020-8772
published 2020-02-06CVE-2020-8772: The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.87%
99.7th percentile
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| revmakx | infinitewp_client | < 1.9.4.5 | 1.9.4.5 |
Detection & IOCsextracted from sources · hover to see the quote
otherwp_infinitewp_auth_bypass (Metasploit module: exploits/unix/webapp/wp_infinitewp_auth_bypass.rb)↗
- →Enumerate WordPress author usernames via /author/ URL enumeration or the 'Author:' field in page source; these are used as the sole credential for authentication bypass ↗
- →Monitor for unauthenticated POST requests targeting iwp_mmb_set_request in init.php of the InfiniteWP Client plugin ↗
- →Post-exploitation: watch for unexpected overwrites of plugin PHP files (PLUGIN_FILE), followed by restoration — indicative of the Metasploit module's payload execution pattern ↗
- →Author username harvesting via HTTP Location header redirect to /author/<username>/ is used as a precursor step to the auth bypass; alert on automated enumeration of this endpoint
- ·The Metasploit module explicitly does not support WordPress >= 4.9 due to a breaking API change; exploitation is limited to WordPress <= 4.8.x ↗
- ·A valid administrator username is a hard prerequisite for exploitation; without it the bypass cannot be triggered ↗
- ·The vulnerability is patched in InfiniteWP Client plugin version 1.9.4.5 and later ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
nuclei·CVSS 9.8
CVE-2020-8772 [CRITICAL] WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
WordPress InfiniteWP "
- type: status
status:
- 200
extractors:
- type: regex
name: username
group: 1
regex:
- 'Author:(?:[A-Za-z0-9 -\_="]+)?([A-Za-z0-9]+)'
internal: true
part: body
- type: regex
name: username
group: 1
regex:
- 'ion: https:\/\/[a-z0-9.]+\/author\/([a-z]+)\/'
internal: true
part: header
# digest: 4a0a0047304502210081f7473ce30e72a68a9a9ce223242afcf2b8be3ab340358aca7e17fc90f878cf0220763128e93d60f97c44a0a455f8a56085fe56d7a2a68c098f835787dbf0bf4382:922c64590222798bb761d5b6d8e72950
Metasploit
WordPress InfiniteWP Client Authentication Bypass
metasploit
WordPress InfiniteWP Client Authentication Bypass
WordPress InfiniteWP Client Authentication Bypass
This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGIN_FILE. The module will attempt to retrieve the original PLUGIN_FILE contents and restore them after payload execution. If VerifyContents is set, which is the default setting, the module will check to see if the restored contents match the original. Note that a valid administrator username is required for this module. WordPress >= 4.9 is currently not supported due to a breaking WordPress API change. Tested against 4.8.3.
No writeups or analysis indexed.
2020-02-06
Published