- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
WP Time Capsule Plugin Update Urged After Critical Security Flaw
Security researchers have found a new vulnerability in the Backup and Staging by WP Time Capsule plugin, affecting versions 1.22.20 and below.
The WordPress plugin, with over 20,000 active installations, facilitates website backups and update management through cloud-native file versioning systems.
However, the flaw allowed unauthorized users to exploit a broken authentication mechanism, potentially gaining administrative access to affected sites.
The vulnerability, discovered by security experts at Patchstack, stemmed from a logical error in the plugin’s code, specifically in the wptc-cron-functions.php file. By exploiting this flaw, attackers could bypass critical authentication checks, manipulating JSON-encoded POST data to elevate their privileges and effectively log in as site administrators.
“It allows any unauthenticated user to log into the site as an administrator with a single request,” Patchstack explained. “The only prerequisite is that someone has set up the plugin with a connection to the wptimecapsule.com site.”
Developer Response and Patch Implementation
This issue was reported to the plugin developers on July 3, who responded swiftly by releasing version 1.22.20 within six hours of notification to mitigate the initial vulnerability.
However, it was later noted that the initial patch was only partially effective, as the comparison method used in the fix could still potentially be circumvented.
Subsequently, version 1.22.21 was released on July 12, incorporating a more robust security fix involving additional hash comparisons to prevent further exploitation.
According to Patchstack, the incident underscores the importance of rigorous security protocols in plugin development for WordPress and other platforms.
“We always recommend applying proper access control and authorization checks when writing a function that involves setting the authorization of a request based on user input variables,” the company wrote.
Users of the WP Time Capsule plugin are strongly advised to update to version 1.22.21 or later immediately to ensure their sites are protected.
Image credit: Primakov / Shutterstock.com
