If you use the InfiniteWP Client plugin, log into your sites and check for updates. According to Sucuri, versions under 1.3.8 are susceptible to a privilege escalation attack as well as a potential Object Injection Vulnerability. InfiniteWP Client is used to communicate to the Infinite WP service to manage WordPress sites remotely.
A malicious individual can use the vulnerability to disable a website by putting it into maintenance mode. If an attacker knows the site’s administrator username, they can force the site to display malicious content. Once the site is in maintenance mode, the following items can be injected into the site.
- Javascript or iframe malware.
- Spam links
- Defacement messages (the infamous “hacked by” type of attack)
You’re strongly encouraged to update the plugin as soon as possible. The patched version is 1.3.8 and is available on the WordPress plugin directory.