We fixed a major SQL injection bug and released an update in the admin panel on Dec 2nd (described here). We have released a new version which fixes these security issues.
Make sure to update your admin panel to v2.4.4
IP Address restriction
There was a bug introduced recently in this feature and we have fixed it in this version.
We have added the SQL queries which takes external data in quotes to make it extra secure.
Upload script is now authenticated to add an extra layer of security during file uploads.
We are working on improving the security aspects of InfiniteWP. A 2-factor authentication module is in the works already! We created InfiniteWP as a self-hosted platform with security and privacy at the heart. None of the bugs reported can be exploited if the path to the admin panel is not known. (But this does not make security any less important for us) We strongly recommend our users to not expose the panel URL anywhere.
Tip: Secure your admin panel with these measures for additional security – http://infinitewp.com/docs/how-to-secure-the-infinitewp-admin-panel/
We would like to thank Walter Hop from Slik BV for bringing this to our notice.