Menu
A new WordPress plug-in exploit endangers thousands of websites

A new WordPress plug-in exploit endangers thousands of websites

WP Mobile Detector flaw allowed hackers to install malicious files on servers

Over the past few days, attackers have been exploiting an unpatched vulnerability in WP Mobile Detector, a WordPress plug-in installed on over 10,000 websites.

The plug-in's developer fixed the flaw Tuesday in version 3.6, but in addition to updating immediately, users should also check if their websites haven't already been hacked.

The vulnerability is located in a script called resize.php script and allows remote attackers to upload arbitrary files to the Web server. These files can be backdoor scripts known as Web shells that provide attackers with backdoor access to the server and the ability to inject code into legitimate pages.

The flaw was discovered by WordPress security outfit PluginVulnerabilities.com after it observed requests for the wp-content/plugins/wp-mobile-detector/resize.php even though it didn't exist on its server. This indicated that someone was running an automated scan for that specific file, likely because it had a flaw.

Researchers from Web security firm Sucuri have analyzed the company's firewall logs and discovered exploitation attempts since May 27, four days before the patch was released. It's possible that attackers have known about the exploit even before that date.

WP Mobile Detector, which shouldn't be confused with a different unaffected plug-in called WP Mobile Detect, used to have more than 10,000 active installations at the beginning of May. Now it has around 2,000, but after the exploit was discovered, the plug-in was briefly removed from the WordPress.org plug-ins directory.

According to Plugin Vulnerabilities there is a limiting factor: in order for this flaw to be exploitable, the allow_url_fopen feature needs to be enabled on the server.

Since it's not clear how many websites have been hacked, it's a good idea for WordPress website owners who use this plug-in to check their servers for signs of compromise.

"At this moment the majority of the vulnerable sites are infected with porn spam doorways," Sucuri researcher Douglas Santos said in a blog post. "You can usually find the gopni3g directory in the site root, that contains story.php (doorway generator script), .htaccess and subdirectories with spammy files and templates."


Follow Us

Join the newsletter!

Error: Please check your email address.

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments