WordPress users who manage their sites through InfiniteWP could have their sites compromised if the client isn't updated.
A Sucuri researcher found a vulnerability in the plugin that could allow an attacker to disable user web sites by putting them in maintenance mode, thus giving an attacker control of the maintenance page's content. The attacker would only need the site administrator's username to gain control.
With this information, JavaScript or iframe malware can be injected, as well as spam links and defacement messages.
Although specifics of the vulnerability weren't divulged, the researcher noted the client listens for commands though the php://input stream used perform administrative actions. The actions are authenticated through an OpenSSL PHP library that typically blocks phony requests. In this case, the plugin allowed actions to be executed before authenticating.
Any Infinite WP version below 1.3.8 is vulnerable.
