SQL Injection, Other Vulnerabilities Found in InfiniteWP Admin Panel

Researchers have uncovered several vulnerabilities in the admin panel of InfiniteWP, a free application that allows WordPress website administrators to control multiple installations from a single dashboard.

The client for the WordPress management platform has been downloaded more than 875,000 times from the official WordPress website, and its developers say the tool is utilized by over 318,000 sites.

The security holes in InfiniteWP Admin Panel were reported to the developers by Walter Hop, co-founder and CTO of Netherlands-based Web development company Slik, on November 26. According to the expert, the vulnerabilities can be exploited remotely by an unauthenticated attacker to take over WordPress websites.

Hop has identified SQL injection vulnerabilities in the “login.php” and “execute.php” files. The weaknesses exist because certain user-controlled parameters are not escaped by the “filterParameters()” function.

The researcher has also identified an unrestricted file upload vulnerability that could lead to PHP injection if certain conditions are met. Unauthenticated users can upload various types of files, including PHP files, to the “uploads” directory. The .swp extension is added to the uploaded files when they are written to the file system. However, if the “uploads” directory is writable and if the Web server is configured to interpret .php.swp files as PHP code, PHP injection can be achieved.

Another issue discovered by Hop refers to the fact that passwords are stored in the “iwp_users.passwords” file without being properly hashed. The passwords are stored as unsalted SHA1 hashes, which makes them easy to crack.

“Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied,” Hop explained in a blog post.

InfiniteWP addressed one of the SQL injection bugs on November 27 with the release of version 2.4.3. The other SQL injection flaw and the unrestricted file upload vulnerability were fixed on December 9 when the company released version 2.4.4. The insecure password storage issue remains unfixed.

The researcher advises InfiniteWP users to update their installations, change administration passwords to something complex, and re-add their websites to the admin panel in order to generate new secret keys. The experts also recommends checking the “upload” directory for the presence of any suspicious files, and limiting access to the administration panel.

Last week, researchers at Sucuri reported uncovering a critical vulnerability in the WordPress Download Manager plugin. The security hole, which can be exploited to upload backdoors to affected websites, has been fixed with the release of version 2.7.5.