WordPress plugin with 10,000+ installations being exploited in the wild

A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector, security researchers warned.

The attacks have been under way since last Friday and are mainly being used to install porn-related spamming scripts, according to a blog post published Thursday. The underlying vulnerability in WP Mobile Detector came to light on Tuesday in this post. The plugin has since been removed from the official WordPress plugin directory. As of Wednesday, the plugin reportedly had more than 10,000 active installations, and it appears many remained active at the time this post was being prepared.

The security flaw stems from the plugin's failure to remove malicious input submitted by website visitors. Because the WP Mobile Detector performs no security checks, an attacker can feed malicious PHP code into requests received by websites that use the plugin.

"The vulnerability is very easy to exploit," Sucuri security analyst Douglas Santos wrote. "All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL."

Uninstall now

With no update available, the most sensible course of action for vulnerable websites is to completely uninstall WP Mobile Detector. A partial fix involves disabling PHP execution in the plugin's subdirectory, but that measure doesn't stop attackers from uploading malicious files to that directory and linking to them elsewhere online. Website administrators may also revoke write permissions altogether in the subdirectory, but that may prevent the plugin from working. Most application level firewalls don't provide meaningful protection against the exploits either, although Sucuri said its firewall service does provide a patch using a virtual hardening engine. The vulnerability can be exploited only when PHP option allow_url_fopen is enabled.

If the exploit's invocation of resize.php sounds familiar, it may be because of the recent vulnerability detected in ImageMagick, a widely used image-processing library that many sites use directly or indirectly to resize images uploaded by end users. However, Sucuri CTO Daniel Cid told Ars that there's no connection between the two vulnerabilities.

Post updated to add link to original disclosure and detail about exploitability.