Security researchers have found a new vulnerability in the Backup and Staging by WP Time Capsule plugin, affecting versions 1.22.20 and below.
The WordPress plugin, with over 20,000 active installations, facilitates website backups and update management through cloud-native file versioning systems.
However, the flaw allowed unauthorized users to exploit a broken authentication mechanism, potentially gaining administrative access to affected sites.
The vulnerability, discovered by security experts at Patchstack, stemmed from a logical error in the plugin’s code, specifically in the wptc-cron-functions.php file. By exploiting this flaw, attackers could bypass critical authentication checks, manipulating JSON-encoded POST data to elevate their privileges and effectively log in as site administrators.
“It allows any unauthenticated user to log into the site as an administrator with a single request,” Patchstack explained. “The only prerequisite is that someone has set up the plugin with a connection to the wptimecapsule.com site.”
Developer Response and Patch Implementation
This issue was reported to the plugin developers on July 3, who responded swiftly by releasing version 1.22.20 within six hours of notification to mitigate the initial vulnerability.
However, it was later noted that the initial patch was only partially effective, as the comparison method used in the fix could still potentially be circumvented.
Subsequently, version 1.22.21 was released on July 12, incorporating a more robust security fix involving additional hash comparisons to prevent further exploitation.
According to Patchstack, the incident underscores the importance of rigorous security protocols in plugin development for WordPress and other platforms.
“We always recommend applying proper access control and authorization checks when writing a function that involves setting the authorization of a request based on user input variables,” the company wrote.
Users of the WP Time Capsule plugin are strongly advised to update to version 1.22.21 or later immediately to ensure their sites are protected.
Image credit: Primakov / Shutterstock.com