WordPress Plugin Vulnerability Leaves Websites Open to Cyberattack
A security firm recently identified a WordPress plugin vulnerability that has put as many as 10,000 websites at risk of a cyberattack. The vulnerability within the WP Mobile Detector plugin enabled cybercriminals to upload arbitrary web shell files to website servers, paving the way for the injection of malicious code into legitimate pages. According to the SANS Institute, remote attackers might exploit arbitrary file uploads by filling the site’s available storage with files, creating a denial-of-service condition.
Security experts say domains using this plugin should update to Version 3.6 immediately. The similarly named WordPress plugin WP Mobile Detect is unaffected by the vulnerability.
Security Experts Discover Plugin Vulnerability
According to Computerworld, the WP Mobile Detector flaw was first identified by Plugin Vulnerabilities, which noticed arbitrary HEAD requests on its server for a file called “/blog/wp-content/plugins/wp-mobile-detector/resize.php.”
Having identified the unusual request, the group hypothesized that remote attackers were attempting to exploit a potential vulnerability in that particular file. Further research revealed the file was part of the WP Mobile Detector WordPress plugin.
This plugin is designed to detect whether mobile website visitors are using smartphone or standard phone browsers to view the site. It then generates a compatible theme based on the type of device being used with the goal of delivering an optimized user experience regardless of the type of mobile device being used. Plugin Vulnerabilities noted that servers need to have the “allow_url_fopen” feature enabled, in addition to having the older version of WP Mobile Detector, to open the backdoor for a remote attack.
Even with this feature disabled and the updated plugin, Sucuri suggests the update hasn’t entirely fixed the vulnerability. Although the fixes should keep WordPress sites from actually executing malicious code, remote attackers may still upload malicious files to the cache subdirectory and use them to attack third-party websites.
Preventing Hacks to a WordPress Plugin
WordPress plugins make it possible to add advanced functionality to WordPress sites without the developer needing in-depth coding knowledge. Plugins speed up the development and deployment process and make WordPress accessible to organizations that don’t have an internal development staff. As a result, most sites using WordPress accept plugins as is. The site owners may lack the skill to analyze the code for potential vulnerabilities, which forces them to rely on the plugin developer for security.
Keeping WordPress and any plugin versions current is the best way to prevent cyberattacks of this nature. Many hosting services update WordPress automatically, but sites that lack access to automation should open their WordPress dashboards regularly to download and install all available updates.
The WordPress Codex also recommends deleting any unused themes or plugins to minimize the site’s attack surface. Instead of keeping multiple themes for different browsers and devices, organizations can use responsive design to adjust each page according to the type of device used to access it. In addition to reducing the attack surface, responsive design carries potential search engine benefits that make it easier to operate websites across platforms, as developers no longer have to maintain both a desktop and mobile version of each website. This also makes the site less vulnerable to redirect errors.
The InfoSec Institute points out that developers can also use security plugins such as Wordfence and BulletProof Security to prevent remote attacks.