The component is very popular, has more than 5 million downloads

Jul 15, 2014 08:57 GMT  ·  By

WPtouch component for WordPress has been found to be vulnerable to an attack that allows a logged-in user with non-administrative privileges to upload PHP files to the server.

The plugin has more than 5.5 million downloads, but the current security glitch is available only in versions 3.x. Website administrators relying on older builds, 1.x and 2.x, have nothing to worry about.

The popularity of the component is given by the fact that it enables themes for rendering the website content on mobile devices. It can be customized easily from the administration panel without any impact on the desktop version of the theme.

Security researchers at Sucuri say that only the websites that allow registration of guest users, which is generally enabled for the comments section of the site, are in danger.

An attacker could leverage the “admin_init” hook in WordPress, which is used as an authentication method to gain unrestricted access to the website by uploading a remote shell.

Compromising the web location is not complicated. The “admin_initialize()” method is called by the “admin_init” hook in the file “core/classwptouchpro.php.” The admin nonce (number used once) is then generated and included on the WordPress script queue.

“This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” says Marc-Alexandre Montpas from Sucuri in a blog post.

Basically, if an attacker logs into the website and gets the nonce via the wp-admin, they can send a file upload request that contains the nonce and the backdoor.

Montpas advises WordPress website administrators to use nonces in combination with other functions, like “current_user_can(),” in order to prevent unauthorized users from reaching sensitive areas.

A new version, 3.4.3, has been released for the WPtouch component, which fixes the current security flaw. Website administrators should update it as soon as possible in order to mitigate the risks.

The “admin_init” hook has also been used to leverage attacks through other highly popular WordPress components.

At the beginning of the month, MailPoet has also been affected by a compromise method that employed this hook. Sucuri found that vulnerability too, but no technical details were offered by the company due to the severity of the issue.

At the time, Sucuri CTO Daniel Cid said that “the vulnerability resides in the fact that the developers assumed that WordPress’s ‘admin_init’ hooks were only called when an administrator user visited a page inside /wp-admin/.”