WordPress Security: Multiple Vulnerabilities in InfiniteWP Admin Panel. Upgrade immediately.
About an hour ago researcher Walter Hop from Slik BV in the Netherlands disclosed multiple serious vulnerabilities in the InfiniteWP Admin Panel on the Full Disclosure and Bugtraq mailing lists. This admin panel is a standalone PHP application that is installed on a website and used as an interface to manage multiple WordPress websites.
The vulnerability includes several issues, the most serious of which appear to allow unauthenticated SQL injection. There is also a file upload vulnerability but only for certain web server configurations.
The issues were initially disclosed on November 26th and InifiniteWP has since released two fixes, the most recent of which were released yesterday, to fix these issues.
Details of the vulnerabilities were disclosed an hour ago – which is approximately 24 hours after InifiniteWP released their final fix yesterday. This doesn’t give customers much time to upgrade but has given hackers some of the information they need to exploit these vulnerabilities. So if you are using InifiniteWP’s Admin Panel, you need to upgrade immediately.
The researcher is recommending the following actions are taken:
- Upgrade InfiniteWP Admin Panel to version 2.4.4.
- Check the uploads directory for the presence of any unauthorized file uploads.
- Change admin passwords for the InfiniteWP Admin Panel and any WordPress sites in the panel. Use long and unique passwords.
- Remove and re-add WordPress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
- Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to the panel. For instance, use a .htaccess file to add authentication and limit IP addresses. If possible, protect the panel with a web application firewall (WAF) such as ModSecurity.
Please share this with other WordPress site administrators to help keep the community safe.
This is David, co-founder of InfiniteWP.
First up, thanks to Walter Hop for bringing this to our notice. And also thanks to WordFence for making WordPress a safer place :simple_smile:
The major SQL injection bug was fixed in v2.4.3 (15 days ago) and our users were notified. The fix in v2.4.4 that was released yesterday is relatively minor.
We created InfiniteWP as a self-hosted platform with security and privacy at the heart. None of the bugs reported can be exploited if the path to the admin panel is not known. (But this does not make security any less important for us) We strongly recommend our users to not expose the panel URL anywhere. As mentioned in our blog post, we are going get the complete code base audited by a leading security company and make sure InfiniteWP is safe and secure. And security improvements will be an on-going process for us.
Make your admin panel even more secure with these options - http://infinitewp.com/docs/how-to-secure-the-infinitewp-admin-panel/
Thanks for weighing in David. Sounds like you're on top of this.