Industry News

WordPress users warned of plugin flaw being exploited in porn spam attack

Tens of thousands of websites running WordPress are thought to have been put at risk from a vulnerability that hackers have been actively exploiting to inject pornographic spam messages.

The problem lies in versions of a WordPress plugin called WP Mobile Detector, which attempts to detect if visitors are browsing a website on a mobile device, and display an appropriate theme for the platform rather than one designed for desktop browsers.

As security researchers at Sucuri report, the zero-day vulnerability in WP Mobile Detector was disclosed by the Plugin Vulnerabilities team at the end of May, a couple of days after the developers were informed of the problem.

Attackers were able to exploit a flaw in the plugin’s code that failed to properly validate and sanitise web input from untrusted sources, allowing anyone to feed malicious PHP code into a vulnerable website.

What raised alarm was the clear ease with which attackers could take advantage of the security hole, typically triggering a payload that allowed attackers to gain remote access, as Douglas Santos of Sucuri explained:

“The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.”

The makers of WP Mobile Detector removed their vulnerable code from the WordPress plugin directory, while they worked on a fix – but that doesn’t mean, of course, that websites might not have been compromised in the meantime.

Prior to the plugin’s withdrawal from release, it reportedly had more than 10,000+ active installations – and although that figure has seemingly slumped significantly since news of the vulnerability first broke, it’s likely that there are still websites out there at risk of being exploited via the flaw.

Yesterday, a new version of WP Mobile Detector was thankfully released by its developer Websitez which fixes the flaw (version 3.6) – and, at the time of writing, the latest edition is version 3.7.

Of course, a new version of the plugin isn’t much help unless website administrators update their version of the plugin as a matter of priority.

Readers should not that sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

The flaw described above is only an issue for self-hosted versions of WordPress, running the WP Mobile Detector plugin. Furthermore, it is understood that the vulnerability requires the allow_url_fopen option be enabled on the server to be exploitable.

If you do self-host your WordPress account, you have to acknowledge that security is your responsibility (or find yourself a managed wordpress host who is prepared to take it on for you), as vulnerabilities are often found in the software and its many many third-party plugins.

You can reduce the risk of your own site being compromised by keeping WordPress and its plugins updated, and keeping the number of plugins you use to a minimum.

And while we’re on the topic of confusing names, it’s worth underlining that the issue resides in WP Mobile Detector, not in other WordPress plugins which may have similar names (such as WP Mobile Detect).

And yes, naming can be very confusing in the world of technology. You’re not the only one to think so.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • ‘And while we’re on the topic of confusing names, it’s worth underlining that the issue resides in WP Mobile Detector, not in other WordPress plugins which may have similar names (such as WP Mobile Detect).’;

    And might have the exact same problem; the code given at the site you reference has no context which makes evaluating if negligent the author might (or might not) have been, but without context it’s pretty elementary.

    ‘And yes, naming can be very confusing in the world of technology. You’re not the only one to think so.’

    Perhaps so. But look at medical science or science in general… personally I don’t have a problem with it unless maybe people misuse terminology or there is no context whatsoever. Unfortunately this is common, examples being:

    They said ‘eye oh es’; so they surely mean Apple iOS! Except that there is Cisco IOS! And what if they use the wrong case when typed?

    DOS or DoS? There is a difference and anyone calling this semantics is absolutely correct! That’s the problem.

    Put this all another way: languages are complicated and words are added often by lexicographers. It’s not just technology I’m afraid.