CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

SQL Injection, Other Vulnerabilities Found in InfiniteWP Admin Panel

Researchers have uncovered several vulnerabilities in the admin panel of InfiniteWP, a free application that allows WordPress website administrators to control multiple installations from a single dashboard.

Researchers have uncovered several vulnerabilities in the admin panel of InfiniteWP, a free application that allows WordPress website administrators to control multiple installations from a single dashboard.

The client for the WordPress management platform has been downloaded more than 875,000 times from the official WordPress website, and its developers say the tool is utilized by over 318,000 sites.

The security holes in InfiniteWP Admin Panel were reported to the developers by Walter Hop, co-founder and CTO of Netherlands-based Web development company Slik, on November 26. According to the expert, the vulnerabilities can be exploited remotely by an unauthenticated attacker to take over WordPress websites.

Hop has identified SQL injection vulnerabilities in the “login.php” and “execute.php” files. The weaknesses exist because certain user-controlled parameters are not escaped by the “filterParameters()” function.

The researcher has also identified an unrestricted file upload vulnerability that could lead to PHP injection if certain conditions are met. Unauthenticated users can upload various types of files, including PHP files, to the “uploads” directory. The .swp extension is added to the uploaded files when they are written to the file system. However, if the “uploads” directory is writable and if the Web server is configured to interpret .php.swp files as PHP code, PHP injection can be achieved.

Another issue discovered by Hop refers to the fact that passwords are stored in the “iwp_users.passwords” file without being properly hashed. The passwords are stored as unsalted SHA1 hashes, which makes them easy to crack.

“Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied,” Hop explained in a blog post.

InfiniteWP addressed one of the SQL injection bugs on November 27 with the release of version 2.4.3. The other SQL injection flaw and the unrestricted file upload vulnerability were fixed on December 9 when the company released version 2.4.4. The insecure password storage issue remains unfixed.

Advertisement. Scroll to continue reading.

The researcher advises InfiniteWP users to update their installations, change administration passwords to something complex, and re-add their websites to the admin panel in order to generate new secret keys. The experts also recommends checking the “upload” directory for the presence of any suspicious files, and limiting access to the administration panel.

Last week, researchers at Sucuri reported uncovering a critical vulnerability in the WordPress Download Manager plugin. The security hole, which can be exploited to upload backdoors to affected websites, has been fixed with the release of version 2.7.5.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.