A new WordPress plug-in exploit endangers thousands of websites

WP Mobile Detector flaw allowed hackers to install malicious files on servers

Over the past few days, attackers have been exploiting an unpatched vulnerability in WP Mobile Detector, a WordPress plug-in installed on over 10,000 websites.

The plug-in's developer fixed the flaw Tuesday in version 3.6, but in addition to updating immediately, users should also check if their websites haven't already been hacked.

The vulnerability is located in a script called resize.php script and allows remote attackers to upload arbitrary files to the Web server. These files can be backdoor scripts known as Web shells that provide attackers with backdoor access to the server and the ability to inject code into legitimate pages.

The flaw was discovered by WordPress security outfit PluginVulnerabilities.com after it observed requests for the wp-content/plugins/wp-mobile-detector/resize.php even though it didn't exist on its server. This indicated that someone was running an automated scan for that specific file, likely because it had a flaw.

Researchers from Web security firm Sucuri have analyzed the company's firewall logs and discovered exploitation attempts since May 27, four days before the patch was released. It's possible that attackers have known about the exploit even before that date.

WP Mobile Detector, which shouldn't be confused with a different unaffected plug-in called WP Mobile Detect, used to have more than 10,000 active installations at the beginning of May. Now it has around 2,000, but after the exploit was discovered, the plug-in was briefly removed from the WordPress.org plug-ins directory.

According to Plugin Vulnerabilities there is a limiting factor: in order for this flaw to be exploitable, the allow_url_fopen feature needs to be enabled on the server.

Since it's not clear how many websites have been hacked, it's a good idea for WordPress website owners who use this plug-in to check their servers for signs of compromise.

"At this moment the majority of the vulnerable sites are infected with porn spam doorways," Sucuri researcher Douglas Santos said in a blog post. "You can usually find the gopni3g directory in the site root, that contains story.php (doorway generator script), .htaccess and subdirectories with spammy files and templates."

Join the CSO newsletter!

Error: Please check your email address.

More about Santos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place