An increasing number of WordPress installations have been adjusted by hackers exploiting a security flaw in a largely used plugin named WP Mobile Detector, warned security experts at Sucuri.
The Plugin Vulnerabilities team first unveiled the worrisome news that the WP Mobile Detector plugin contains thezero-day vulnerability. However, the hackers basically exploited the issue in the plugin for the installation of porn-related spamming scripts, reported by the researchers at Sucuri.
After unveiling the vulnerability, the plugin has been removed from the official WP plugin directory.
This WordPress vulnerability was first publicly unveiled on 31st May although it was first seen on 27th May and after the removal of the plugin from the WordPress repository, it became unpatched, reported a blog post at Sucuri.
Estimation says that the plugin had more than 10,000 active installations and some of them are still vulnerable to cyber-attacks.
By this flaw, the plugin fails to input validation which enables hackers for submitting malicious PHP code in input.
According to Sucuri, the vulnerability can be easily exploited. In fact, the security experts became cautious of a possible issue after getting a request for a WP Mobile Detector file, to timthumb.php or resize.php inside the plugin directory with the backdoor URL. One of its examples is: blog/wp-content/plugins/wp-mobile-detector/resize.php
The researchers also highlight that no fix is available now and so it is better to uninstall the malicious plugin.
Users now update to the versions of 3.6 or 3.7, both of which are free from WordPress vulnerabilities.