CVE-2020-28642:InfiniteWP Admin Panel before 3.1.12.3 uses weak password-reset codes that can lead to account takeover.

splash
Back

Description Preview

InfiniteWP Admin Panel versions prior to 3.1.12.3 contain a vulnerability in the password reset functionality. The resetPasswordSendMail function generates password-reset codes with insufficient entropy, making them predictable. This weakness allows remote attackers to potentially guess valid reset codes and take over administrator accounts without authorization.

Overview

This vulnerability (CVE-2020-28642) affects the InfiniteWP Admin Panel, a tool used to manage multiple WordPress websites from a single dashboard. The issue stems from the implementation of the resetPasswordSendMail function which generates password reset codes with insufficient randomness (CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator). Attackers can exploit this weakness to predict valid password reset codes, allowing unauthorized access to administrator accounts. The vulnerability is particularly severe as it could lead to complete compromise of all WordPress sites managed through the affected InfiniteWP instance.

Remediation

To address this vulnerability, system administrators should:

  1. Update InfiniteWP Admin Panel to version 3.1.12.3 or later immediately
  2. Review access logs for any suspicious password reset attempts
  3. Change administrator passwords after the update
  4. Consider implementing additional security measures such as two-factor authentication if available
  5. Limit access to the InfiniteWP Admin Panel to trusted IP addresses where possible

References

  1. WhiteHack Security Advisory: https://www.whitehack.de/advisories/HWADV2020-001.txt
  2. CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator - https://cwe.mitre.org/data/definitions/338.html
  3. MITRE CVE-2020-28642: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28642
  4. InfiniteWP Security Updates: https://infinitewp.com/docs/security-updates/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background