Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site’s backend with no password.
The InfiniteWP Client Bug
The issue resides in the function iwp_mmb_set_request which is located in the init.php file. This function checks if the request_params variable of the class IWP_MMB_Core is not empty, which is only populated when the payload meets certain conditions.
WP Time Capsule Bug
Located in wptc-cron-functions.php line 12 where it parses the request. The parse_request function calls the function decode_server_request_wptc which check if the raw POST payload contains the string ‘IWP_JSON_PREFIX’.
Updated software plugins.