Zero-day vulnerability in WP Mobile detector

Arbitrary file upload

Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.

Vulnerability details

Advisory: SB2016052901 - Arbitrary file upload in WP Mobile detector

Vulnerable component: WP Mobile detector

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

CWE-ID: CWE-20 - Improper input validation

Description:

The vulnerability allows a remote attacker to upload arbitrary files to compromise the target system.

The weakness exists due to the failure to validate and sanitize input. A remote attacker can send a request toresize.php or timthumb.php inside the plugin directory with the backdoor URL that contains a PHP code.

Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.

Note: the vulnerability was being actively exploited.