CVE-2020-8772: 
WordPress vulnerability analysis and mitigation

The InfiniteWP Client plugin before version 1.9.4.5 for WordPress contains a critical authentication bypass vulnerability (CVE-2020-8772) discovered in January 2020. The vulnerability stems from a missing authorization check in the iwpmmbset_request function within init.php, which allows any attacker who knows an administrator's username to gain unauthorized administrative access to the affected WordPress site (NVD, Patchstack).

The vulnerability exists due to a logical flaw in the authentication mechanism. The issue resides in the iwpmmbsetrequest function where the requestparams variable of the IWPMMBCore class is checked. The vulnerability can be exploited when the iwpaction parameter equals 'readdsite' or 'add_site', as these actions lack proper authorization checks. The exploit requires encoding the payload with JSON and Base64 before sending it as a raw POST request to the site (Patchstack). The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability affects over 300,000 WordPress websites using the InfiniteWP Client plugin. When exploited, it allows attackers to bypass authentication and gain unauthorized administrative access to affected WordPress sites, potentially leading to complete site compromise (Patchstack).

The vulnerability was patched in InfiniteWP Client version 1.9.4.5. The fix prevents the addsite and readdsite actions from populating the request_params variable by implementing early returns in the function. Site administrators are strongly advised to update to version 1.9.4.5 or later (Patchstack).

The developer responded quickly to the vulnerability report, releasing patches the day after the initial report. The security community noted that cloud-based firewalls might struggle to protect against this vulnerability due to its nature, as malicious payloads are difficult to distinguish from legitimate traffic (Patchstack).