An incredibly severe bug affecting two WordPress plugins has been patched and users have been urged to update these plugins as soon as possible.
The plugins in question are InfiniteWP Client and WP Time Capsule. These plugins contain logical issues in the code that would allow anybody to log into an administrator account without needing a password.
The vulnerability was detailed by WebARX.
What makes this vulnerability so concerning is that an attack wouldn’t look like a suspicious payload.
“Because of the nature of the vulnerability, cloud-based firewalls might not be able to make a difference between malicious or legitimate traffic and therefore may fail provide effective protection against this vulnerability,” wrote WebARX.
The vulnerability was discovered on 7th January and a patch was released for both plugins on 8th January.
“The developer was very fast to react and released the patches on the very next day after our initial report. It’s always great to see developers who are taking action quickly and letting their customers know about the issues to help people update to a more secure version as soon as possible,” WebARX added.
The advice being handed down now is to update these plugins as soon as possible if you make use of them.