Security firm WebARX discovered that the InfiniteWP Client and WP Time Capsule plugins contain issues that allow malicious parties to log in to an administrator account without using a password.
“Because authentication bypass vulnerabilities are often logical mistakes in the code and don’t actually involve a suspicious-looking payload, it can be hard to find and determine where these issues come from,” said WebARX.
“Cloud-based firewalls might not be able to make a difference between malicious or legitimate traffic and therefore may fail to provide effective protection against this vulnerability,” said WebARX.
WebARX said it manually added a new module to its firewall to block this vulnerability.
“We have seen other WordPress security companies follow the same method. In the future, we can expand upon this new feature to block similar issues,” said WebARX.
WebARX said the developer of these plugins was quick to respond and released patches the day after being informed of the security flaw.
“It’s always great to see developers who are taking action quickly and letting their customers know about the issues to help people update to a more secure version as soon as possible,” said WebARX.