911 Hack Removal

Authentication Bypass Vulnerability in WP Time Capsule Ver<1.21.16

Updated on: March 29, 2020

Authentication Bypass Vulnerability in WP Time Capsule Ver<1.21.16

Article Summary

WP Time Capsule is quite a popular WordPress plugin when it comes to WordPress back-ups & staging. It has turned the complex processes of backing up & staging a click’s affair. However, given the fragile nature of security in WordPress plugins, vulnerability disclosures are not quite unexpected. Certainly, the WP Time Capsule plugin is no exception. In fact, on the 8th of January, a serious Authentication Bypass Vulnerability was discovered in this popular plugin.

WP Time Capsule is quite a popular WordPress plugin when it comes to WordPress back-ups & staging. It has turned the complex processes of backing up & staging a click’s affair.

However, given the fragile nature of security in WordPress plugins, vulnerability disclosures are not quite unexpected. Certainly, the WP Time Capsule plugin is no exception. In fact, on the 8th of January, a serious Authentication Bypass Vulnerability was discovered in this popular plugin.

This revelation has put more than 20,000 active users of the plugin at risk. Even though the plugin development team fixed the vulnerability and released the patched version 1.21.16 that same day, anyone on outdated versions faces the threat.

WP Time Capsule on WordPress

If you are on any version prior to 1.21.16, update quickly.

So far, there is no news of an exploit. But, if you continue to be on the vulnerable version, there are a lot of things that can go wrong.

With this blog post, we will take you through the basics of Authentication Bypass in WordPress and answer questions such as – what is Authentication Bypass & how it affects your website. We will also let you in on the security fixes you can implement to check the threat.

Here we start.

What is Authentication Bypass in WordPress?

Filling in the login page is perhaps the first step you take to get access to internal information in a site or any other software for that matter. When someone gets access to your site, admin panel, user account, etc. without proper authentication, it is known as “Authentication Bypass”.

OWASP defines Authentication Bypass as follows,

..simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication..

How Does it Affect Your Website?

Of course, anyone getting illicit access to your website’s internal content is bad. However, the consequences of an Authentication Bypass can be much adverse. I am listing some of the known outcomes in the following segment:

  • An attacker with admin access can manipulate your website’s settings
  • The attacker can exploit the site’s content or misuse the confidential information
  • Hackers can upload a web shell on your website

There are other technical outcomes, that remain beyond the scope of this blog post.

What Should You Do?

Update.

As we already mentioned, the WP Time Capsule development team patched the vulnerability in updated version 1.21.16.

Updating to this version is the most prudent & logical step you can take.

Besides updating, implementing the following preventive measures shall only help you in protecting your WordPress site further:

  • Do not expose your authentication schema in the client-side web browser script
  • Validate all user input on the server-side
  • Set up an encrypted data transfer mechanism between your browser and the server.
  • Install a plugin to facilitate periodic re-authentication & session time out.
  • Send all cookies and session data over an encrypted channel.

At Last…

Know that using a vulnerable plugin on your website is the most common reason for getting hacked. We prompt all users of WP Time Capsule to move to the safe version as quickly as possible.

Additionally, securing your website with a dedicated security solution is always a recommendation.

If you have any questions to ask just comment below and someone from our team will get in touch.

Was this post helpful?

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog.Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity.When not hustling to find newer ways to spread awareness about cybersecurity, he can be found enjoying a game of ping pong or CSGO.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany