Developers have issued a patch to a popular WordPress plugin that addresses a vulnerability being exploited in the wild.
The patch applies to WP Mobile Detector, a plugin for the popular web blogging platform which detects whether a user is visiting a WordPress website on a standard mobile phone or smart phone and loads up a compatible mobile theme of the site for each.
More than 10,000 users had previously activated a vulnerable version of the plugin on their websites.
On Tuesday, the team at Plugin Vulnerabilities published a blog post in which they explain how they came across an arbitrary file upload vulnerability in WP Mobile Detector. The flaw in essence allows an attacker to load up any file they want onto a website.
Just a few days later, researchers at Sucuri observed malicious actors leveraging the vulnerability to upload porn spam onto vulnerable websites.
As Sucuri security analyst Douglas Santos notes in a blog post, it didn’t take much effort for attackers to begin actively exploiting the bug:
“The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.”
The Plugin Vulnerabilities team notified the plugin’s developers of the flaw on May 29th. They also notified the wordpress.org Plugin Directory two days later, causing the plugin to be removed from the directory that very same day.
Since then, the authors of WP Mobile Detector have patched their plugin. Users are urged to upgrade to version 3.7 as soon as possible in order to avoid the ongoing porn spam campaign observed by Sucuri.
The wordpress.org Plugin Directory has also reinstated the plugin. You can find the latest version of WP Mobile Dector available for download here.