CVE-2020-8772
CRITICAL NUCLEIInfiniteWP Client <1.9.4.5 - Privilege Escalation
Title source: llmDescription
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in.
Exploits (1)
metasploit
WORKING POC
MANUAL
by WebARX, wvu · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_infinitewp_auth_bypass.rb
Nuclei Templates (1)
WordPress InfiniteWP <1.9.4.5 - Authorization Bypass
CRITICALVERIFIEDby princechaddha,scent2d
Scores
CVSS v3
9.8
EPSS
0.9361
EPSS Percentile
99.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-862
Status
published
Affected Products (1)
revmakx/infinitewp_client
< 1.9.4.5
Timeline
Published
Feb 06, 2020
Tracked Since
Feb 18, 2026