WordPress plugin with 10,000+ installations being exploited in the wild

by Dan Goodin
A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector, security researchers warned.
The security flaw stems from the plugin's failure to remove malicious input submitted by website visitors. Because the WP Mobile Detector performs no security checks, an attacker can feed malicious PHP code into requests received by websites that use the plugin.
"The vulnerability is very easy to exploit," Sucuri security analyst Douglas Santos wrote. "All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL."

Uninstall now

With no update available, the most sensible course of action for vulnerable websites is to completely uninstall WP Mobile Detector. A partial fix involves disabling PHP execution in the plugin's subdirectory, but that measure doesn't stop attackers from uploading malicious files to that directory and linking to them elsewhere online. Website administrators may also revoke write permissions altogether in the subdirectory, but that may prevent the plugin from working. Most application level firewalls don't provide meaningful protection against the exploits either, although Sucuri said its firewall service does provide a patch using a virtual hardening engine. The vulnerability can be exploited only when PHP option allow_url_fopen is enabled.
If the exploit's invocation of resize.php sounds familiar, it may be because of the recent vulnerability detected in ImageMagick, a widely used image-processing library that many sites use directly or indirectly to resize images uploaded by end users. However, Sucuri CTO Daniel Cid told Ars that there's no connection between the two vulnerabilities.
Post updated to add link to original disclosure and detail about exploitability.

Comments