Connect with us

Hi, what are you looking for?


Application Security

SQL Injection, Other Vulnerabilities Found in InfiniteWP Admin Panel

Researchers have uncovered several vulnerabilities in the admin panel of InfiniteWP, a free application that allows WordPress website administrators to control multiple installations from a single dashboard.

Researchers have uncovered several vulnerabilities in the admin panel of InfiniteWP, a free application that allows WordPress website administrators to control multiple installations from a single dashboard.

The client for the WordPress management platform has been downloaded more than 875,000 times from the official WordPress website, and its developers say the tool is utilized by over 318,000 sites.

The security holes in InfiniteWP Admin Panel were reported to the developers by Walter Hop, co-founder and CTO of Netherlands-based Web development company Slik, on November 26. According to the expert, the vulnerabilities can be exploited remotely by an unauthenticated attacker to take over WordPress websites.

Hop has identified SQL injection vulnerabilities in the “login.php” and “execute.php” files. The weaknesses exist because certain user-controlled parameters are not escaped by the “filterParameters()” function.

The researcher has also identified an unrestricted file upload vulnerability that could lead to PHP injection if certain conditions are met. Unauthenticated users can upload various types of files, including PHP files, to the “uploads” directory. The .swp extension is added to the uploaded files when they are written to the file system. However, if the “uploads” directory is writable and if the Web server is configured to interpret .php.swp files as PHP code, PHP injection can be achieved.

Another issue discovered by Hop refers to the fact that passwords are stored in the “iwp_users.passwords” file without being properly hashed. The passwords are stored as unsalted SHA1 hashes, which makes them easy to crack.

“Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied,” Hop explained in a blog post.

Advertisement. Scroll to continue reading.

InfiniteWP addressed one of the SQL injection bugs on November 27 with the release of version 2.4.3. The other SQL injection flaw and the unrestricted file upload vulnerability were fixed on December 9 when the company released version 2.4.4. The insecure password storage issue remains unfixed.

The researcher advises InfiniteWP users to update their installations, change administration passwords to something complex, and re-add their websites to the admin panel in order to generate new secret keys. The experts also recommends checking the “upload” directory for the presence of any suspicious files, and limiting access to the administration panel.

Last week, researchers at Sucuri reported uncovering a critical vulnerability in the WordPress Download Manager plugin. The security hole, which can be exploited to upload backdoors to affected websites, has been fixed with the release of version 2.7.5.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...