Not too long ago, we found an authentication bypass vulnerability in the Ultimate Addons for Elementor and Beaver Builder plugins.
Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from.
After looking around in the code of several popular plugins, we found that the InfiniteWP Client and WP Time Capsule plugins also contain logical issues in the code that allows you to login into an administrator account without a password.
InfiniteWP Client < 22.214.171.124
In order for the request to even get to the vulnerable part of the code, we first must encode the payload with JSON, then Base64, then send it raw to the site in a POST request.
All we need to know is the username of an administrator on the site. After the request has been sent, you will automatically be logged in as the user.
Screenshot from https://infinitewp.com/
The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions. In this case, the condition is that the iwp_action parameter of the payload must equal readd_site or add_site as they are the only actions that do not have an authorization check in place. The missing authorization check is the reason why this issue exists.
Once the payload meets these conditions, the username parameter that is supplied will be used to login the requester as that user without performing any further authentication as shown below.
WP Time Capsule < 1.21.16
The WP Time Capsule plugin does not require a more complex payload but only needs to contain a certain string in the body of the raw POST request.
Screenshot from https://wptimecapsule.com/
The issue is located in wptc-cron-functions.php line 12 where it parses the request. The parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains the string “IWP_JSON_PREFIX”. If it contains this string, it calls wptc_login_as_admin (which grabs all available administrator accounts and uses the first account in the list) and you’ll be logged in as an administrator as shown below.
- 07-01-2019 – Reported the vulnerabilities to the developer of both plugins.
- 08-01-2019 – Developer of the plugin released a new version for both plugins.
- 14-01-2019 – Publicly published.