Our Blogs

WP Mobile Detector plugin makes over 10,000 WordPress sites vulnerable to exploit

June 14, 2016
According to recent reports, over 10000 websites powered by WordPress are at risk of exploit due to a plugin containing a zero-day flaw. The main source of the problem is with the WP Mobile Detector plugin, which is supposed to contain a zero day vulnerability first disclosed by the Plugin Vulnerabilities team.

The issue came to light when security researchers tracked the potential problem after receiving a HEAD request for a WP Mobile Detector file, blog/wp-content/plugins/wp-mobile-detector/resize.php, on a domain which doesn't have the software installed.

Upon analyzing the problem, the team concluded that someone was checking for the existence of the file before trying to exploit a vulnerability in the plugin. According to Sucuri, it's a simple vulnerability that stems from failing to validate and sanitize input from untrusted sources. They confirmed that no security checks  are performed and an attacker can feed the src variable with a malicious URL that contains a PHP code.

Cyberattackers, who make advantage of the potential flaw have been using the opportunity to load websites with porn and spam-related scripts.

The team behind WP Mobile Detector were informed of the zero-day vulnerability and official WordPress plugin team has been notified after two days. The plugin was removed from the official repository and warnings issued to all users who hae installed the plugin to remove the article.

Earlier, over 10000 active installations of the plugin was recorded within a pan of three weeks. The developers behind WP Mobile Detector plugin subsequently worked hard to patch the plugin and released an updated version. The WordPress plugin team analyzed the plugin and found it safe for public consumption.

If you are using WP Mobile Detector plugin, you should update to version 3.6 or 3.7, both of which are no longer vulnerable to attacks exploiting the vulnerability.