At least 300,000 InfiniteWP Client plugin users could have been affected by one particularly aggravating vulnerability. The plugin is used by administrators who need to oversee several websites. Attackers simply needed to know the username of a site administrator and then “encode malicious payload with JSON and Base64 before sending it to a vulnerable site in a POST request.” The attacker would have been able to login without any kind of password and take control of the site.
This vulnerability exists because the plugin lacks certain authorization checks. You are vulnerable if you are using InfiniteWP Client versions up to 126.96.36.199, and as a result users of the plugin should update their sites to version 188.8.131.52 as soon as possible.
At least 20,000 websites were vulnerable to attackers thanks to a WP Time Capsule plugin flaw. The plugin is used to back up files and ironically “ensure peace of mind”. Similar to the InfiniteWP Client vulnerability, attackers could include a specific string in the body of a POST request to automatically login as an administrator. The vulnerability has since been patched with version 1.21.16 and users should update that plugin immediately as well.
The last pair of vulnerabilities affected nearly 80,000 sites that use the WP Database Reset plugin. The plugin helps users to reset their databases or parts of databases to their default settings. The plugin did not initially include the proper security checks. One vulnerability allowed attackers to reset any table and cause a loss of data availability. Another vulnerability enabled any subscriber to take full control of the website and kick out all administrators. Both flaws have thankfully been fixed with version 3.15. Of course the security researchers also encourage users to always back up their sites. You can check out full details of the alerts from the WordPress security research firm Wordfence here.
In other security news, there has been a flurry of vulnerabilities recently in the wild recently when United States National Security Agency (NSA) found a Microsoft Windows flaw called the “CurveBall”. The vulnerability affects the CryptoAPI and would allow attackers to launch man-in-the-middle (MitM) attacks, fake signatures, etc. The vulnerability was fixed with the most recent Patch Tuesday update.
As always, the best advice is to keep all your software patched and updated early and often.