First reported by Sucuri, the WPTouch plugin has a dangerous security vulnerability and users are encouraged to update immediately. WPTouch is used to quickly add mobile support to websites and has over 5 million downloads making it one of the most popular plugins in the WordPress plugin directory.
According to Sucuri, WPTouch incorrectly uses the “admin_init” hook which can lead to users without the correct capabilities to upload malicious files to the server. Mailpoet, another popular plugin recently suffered from the same type of security issue. Taking advantage of the bug is a simple two-step process.
All an attacker had to do in order to compromise a vulnerable website was to:
- Login and get his nonce via wp-admin
- Send an AJAX file upload request containing the leaked nonce and his backdoor
So long story short – don’t only use nonces to protect sensitive methods, always add functions such as “current_user_can()” or the likes to confirm a user’s right to do something.
The vulnerability only affects sites that have registration enabled but you should update regardless. Users should already see an upgrade notification in the dashboard.