It was reported back in January this year that two WordPress plugins – WP Time Capsule, a backup plugin and InfiniteWP Client, a management plugin – contained flaws potentially allowing an attacker to gain unauthorized admin access to WordPress sites running outdated versions of those plugins.
The flaws were discovered and reported at the time by WebArx, specialists in the WordPress publishing platform along with other CMSs or Content Management Systems. The developers of both these plugins made patches available the very next day, which is impressive.
WP Time Capsule is installed on over 20,000+ sites whilst InfiniteWP Client has a far more wide-reaching audience of 300,000+ (according to the WordPress Plugin Library figures) although on their webpage it reports over 513,000 active sites with this plugin installed and active. Either way, it’s a fairly high number.
So, if you are running a WordPress site with either of these plugins deployed/active, do please check to make sure you have a patched version installed which in the case of WP Time Capsule is v1.21.16 or higher and for InfiniteWP Client, v220.127.116.11 or greater.
As a side note, if your web host is of the Managed WordPress variety then you shouldn’t have to worry about manually updating these plugins and such like yourself, as this will (or should) be all taken care of by your web host provider. On the other hand, if you don’t have Managed WordPress hosting then it is down to you to ensure updates are applied in a timely fashion.
If you are interested in reading more about these particular vulnerabilities, the full article as reported by WebArx can be found by clicking here.