Over 10,000 WordPress sites vulnerable to exploit
Security researchers have warned that over 10,000 websites powered by the WordPress content management system (CMS) are at risk of exploit due to a plugin containing a zero-day flaw.
The WP Mobile Detector plugin is the source of the issue, containing a zero-day vulnerabilityfirst disclosed by the Plugin Vulnerabilities team.
The security researchers became aware of a potential problem after receiving a HEAD request for a WP Mobile Detector file, blog/wp-content/plugins/wp-mobile-detector/resize.php, on a CMS domain which did not have the software installed.
The team investigated further and realized it was most likely that “someone was checking for the existence of the file before trying to exploit a vulnerability in the plugin.”
The vulnerability itself is “easy to exploit,” according to Sucuri. The zero-day can compromise a website and act as a backdoor to the CMS simply through sending the HEAD request with the backdoor URL.
“It’s a simple vulnerability that stems from failing to validate and sanitize input from untrusted sources,” Sucuri says. “No security checks are performed and an attacker can feed the src variable with a malicious URL that contains a PHP code.”
Cyberattackers leveraging the flaw have been using the problem to load websites with porn and spam-related scripts.
The team behind WP Mobile Detector were informed of the zero-day vulnerability on 29 May and the wordpress.org Plugin Directory was notified two days later, leading to the temporary removal of the plugin.
Several days ago, there were over 10,000 active installations of the plugin recorded.
On 31 May, the developers of the plugin patched the issue and the plugin has been restored. Users should update to either version 3.6 or 3.7, both of which are now no longer vulnerable to attacks exploiting the vulnerability.
Source | ZDNET