This admin panel is a standalone PHP application that is installed on a website and used as an interface to manage multiple WordPress websites.
The disclosed vulnerability includes several issues, the most serious of which appear to allow unauthenticated SQL injection. There is also a file upload vulnerability but only for certain web server configurations.
Initially disclosed on November 26th, InifiniteWP has released two fixes, the most recent of which were released yesterday.
The following recommendations can help protect your sites from the vulnerabilities:
- Upgrade InfiniteWP Admin Panel to version 2.4.4.
- Check the uploads directory for the presence of any unauthorized file uploads.
- Change admin passwords for the InfiniteWP Admin Panel and any WordPress sites in the panel. Use long and unique passwords.
- Remove and re-add WordPress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
- Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to the panel. For instance, use a .htaccess file to add authentication and limit IP addresses. If possible, protect the panel with a web application firewall (WAF) such as ModSecurity.
share this information with other WordPress site administrators to help keep the community safe.