We have fixed 2 vulnerabilities in the client plugin and the admin panel and released updates. We strongly recommend you to update them immediately.
Updated versions –
- InfiniteWP Client plugin v1.3.8 (Released on 2 Dec) – View change log
- InfiniteWP admin panel v2.4.3 (Released on 27 Nov) – View change log
Client plugin bug
If a malicious person knows your admin username, they could put your WP site into maintenance mode. Sucuri contacted us regarding the bug and we patched and released an update immediately. This bug was introduced in our Flash update (v1.3.4) when we added the maintenance mode option in the admin panel. We didn’t pass that call through the openSSL secure authentication method and it became vulnerable. Fortunately, we haven’t had any incident reported with this bug so far.
Tip: Doing a Reload Data in your admin panel will bring a popup to update the client plugin on all your sites.
Admin panel bug
We fixed a MySQL injection bug in the InfiniteWP admin panel.
We did a mistake by delaying this communication to our users, and our sincere apologies for that. We only tweeted about the security release and we now realise that it was not remotely enough. We will take this as a lesson and act proactively in our future communications. We are going get the complete code base audited by a leading security company to ensure an utmost secure platform.
Tip: Secure your admin panel with these measures for additional security – http://infinitewp.com/docs/how-to-secure-the-infinitewp-admin-panel/
Make sure you update them immediately and also let your friends who use InfiniteWP know about this with the sharing options below.