Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 1
Arbitrary file upload in WP Mobile detector
Arbitrary file upload
The vulnerability allows a remote attacker to upload arbitrary files to compromise the target system.The weakness exists due to the failure to validate and sanitize input. A remote attacker can send a request toresize.php or timthumb.php inside the plugin directory with the backdoor URL that contains a PHP code.
Successful exploitation of the vulnerability may result in malicious files uploading and vulnerable system compromising.
Note: the vulnerability was being actively exploited.
Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.
Software: WP Mobile detector
Links:
https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-d...
https://threatpost.com/wordpress-patches-zero-day-in-wp-mobile-detector-plugin/118458/ https://www.recoverwp.com/en/arbitrary-file-upload-vulnerability-in-wp-mobile-detector/
https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
http://news.softpedia.com/news/wordpress-sites-under-attack-from-new-zero-day-in-wp-mobile-detector-...
https://vulners.com/threatpost/WORDPRESS-PATCHES-ZERO-DAY-IN-WP-MOBILE-DETECTOR-PLUGIN/118458
http://www.spamfighter.com/News-20313-WordPress-Websites-Being-Assaulted-Through-Fresh-0-Day-within-...
http://www.builditdigital.com/blog/wp-mobile-detector-plugin-makes-over-10-000-wordpress-sites-vulne...
http://www.zdnet.com/article/over-10000-wordpress-sites-vulnerable-to-exploit/