Advisory: InfiniteWP Admin Panel / Admin login Advisory ID: HWADV2020-001 Revision: 1.0 Release Date: 11-NOV-2020 Last Modified: 11-NOV-2020 Date Reported: 30-JUN-2020 Author: Hermann Weiss (hw at whitehack.de) Affected Software: InfiniteWP Admin Panel < 3.1.12.3 Vendor URL: https://infinitewp.com/ Solution Status: Fixed CVE-ID: CVE-2020-28642 ========================== Vulnerability Description: ========================== A remote attacker can request to reset the admin password and calculate/brute force the hash code for generating a new password. After successfully generating a new password the attacker is able to login as admin and take full control of the admin panel. The vulnerability is only functional if: - attacker must know the admin email address - 2 factor authentication is turned off (default) - ip address restriction is off (default) - folder protection is off (default) ================== Technical Details: ================== The function resetPasswordSendMail uses microtime() as pseudo random hashcode. So the generated hash code for validating at function resetPasswordChange is easily guesable and can be bruteforced wihtin a short time. ========= Solution: ========= Upgrade to the newest version of InfiniteWP Admin Panel ==================== Disclosure Timeline: ==================== 30-JUN-2020 - Initial vendor notification. 30-JUN-2020 - Initial vendor response. 10-SEP-2020 - InfiniteWP 3.1.12.3 available 11-NOV-2020 - Release date of this security advisory. ======== Credits: ======== Vulnerability found and advisory written by Hermann Weiss. ================= Revision History: ================= Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Copyright 2020 Hermann Weiss. All rights reserved.