WP Time Capsule Plugin Update Urged After Critical Security Flaw
15-July-24
Security researchers have found a new vulnerability in the Backup and Staging by WP Time Capsule plugin, affecting versions 1.22.20 and below. The WordPress plugin, with over 20,000 active installations, facilitates website backups and update management through cloud-native file versioning systems. However, the flaw allowed unauthorized users to exploit a broken authentication mechanism, potentially gaining administrative access to affected sites.
The vulnerability, discovered by security experts at Patchstack, stemmed from a logical error in the plugin’s code, specifically in the wptc-cron-functions.php file. By exploiting this flaw, attackers could bypass critical authentication checks, manipulating JSON-encoded POST data to elevate their privileges and effectively log in as site administrators. It allows any unauthenticated user to log into the site as an administrator with a single request,” Patchstack explained. The only prerequisite is that someone has set up the plugin with a connection to the wptimecapsule.com site.
