CVE-2020-8772

CRITICAL NUCLEI

InfiniteWP Client <1.9.4.5 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8772. PoCs published by WebARX, wvu, including Metasploit module exploits/unix/webapp/wp_infinitewp_auth_bypass. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass in the WordPress InfiniteWP Client plugin (CVE-2020-8772) to log in as an administrator and execute arbitrary PHP code by overwriting a specified plugin file. It includes functionality to restore the original file contents post-exploitation.

Description

The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in.

Exploits (1)

metasploit WORKING POC MANUAL

by WebARX, wvu · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass in the WordPress InfiniteWP Client plugin (CVE-2020-8772) to log in as an administrator and execute arbitrary PHP code by overwriting a specified plugin file. It includes functionality to restore the original file contents post-exploitation.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress InfiniteWP Client < 1.9.4.5

No auth needed

Prerequisites: Valid WordPress administrator username · WordPress version < 4.9

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress InfiniteWP <1.9.4.5 - Authorization Bypass

CRITICALVERIFIEDby princechaddha,scent2d

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://wpvulndb.com/vulnerabilities/10011

Exploit, Third Party Advisory x_refsource_misc

https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule/

Scores

CVSS v3 9.8

EPSS 0.8787

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-862

Status published

Products (1)

revmakx/infinitewp_client < 1.9.4.5

Published Feb 06, 2020

Tracked Since Feb 18, 2026