A new WordPress plugin vulnerability was recently uncovered that is being actively exploited. The vulnerability affects the WP Mobile Detector plugin, which is used to determine whether a website is being viewed on a desktop or mobile device. The plugin then serves a compatible WordPress theme.

The plugin was one of the first to be able to distinguish whether a device was a standard mobile or a Smartphone, and as of the start of May, the plugin had been installed on more than 10,000 WordPress websites.

WP Mobile Detector WordPress Plugin Vulnerability Exploited to Install Porn Spam Doorways

The WordPress plugin vulnerability was detected by Plugin Vulnerabilities, which noticed a HEAD request for a file called /wp-mobile-detector/resize.php, even though the plugin had not been installed on the site.

Researchers at Plugin Vulnerabilities concluded that the request was made by an individual attempting to determine whether the plugin had been installed in order to exploit a vulnerability.  After searching for reports of a known vulnerability and finding none, researchers investigated further and discovered the plugin had an arbitrary file upload vulnerability.

The vulnerability is straightforward to exploit and can be used to upload malicious files to the cache directory, host spam content, redirect users to malicious websites, or install malware. Since the plugin performed no checks to validate input from untrusted sources, an attacker would be able to insert a src variable containing a malicious URL and PHP code.

Many of the infections uncovered so far have involved the installation of porn spam doorways. Sucuri reports that the WordPress plugin vulnerability has been exploited since May 27.

Since the discovery of the WP Mobile Detector plugin flaw last week, the plugin was temporarily removed from the WordPress plugin directory. The developer of the WP Mobile Detector plugin has now fixed the vulnerability. Any site owner that has the plugin installed should immediately update to version 3.6.

However, simply updating to the latest version of the plugin will not remove malware if it has already been installed. If web shells have already been installed, attackers could still have an active backdoor to the site allowing them to continue to upload malicious files or inject malicious code into webpages.

One of the easiest ways to check to see if a site has been compromised is to look for a directory called gopni3g in the site root. The directory will contain a story.php file, and “.htaccess and subdirectories with spammy files and templates,” according to Sucuri researcher Douglas Santos.