*** Note: At this time the WP Mobile Detector plugin has been patched. Users should update to the most current version of the plugin as soon as possible.
A vulnerability in WP Mobile Detector is being exploited in the wild and users are urged to remove the plugin as soon as possible, as there is currently no available update.
“The vulnerability is very easy to exploit, all the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL,” Sucuri reported today.
The exploit stems from the plugin’s failure to validate and sanitize input from untrusted sources. “No security checks are performed and an attacker can feed the src variable with a malicious URL that contains a PHP code,” Sucuri said.
The vulnerability was publicly disclosed on May 31, though Sucuri’s firewall logs indicate that the attack has been going on since May 27.
Although the plugin has been temporarily removed from the repository, there is a partial temporary fix available that disables PHP execution in the wp-mobile-detector/cache subdirectory. This fix does not fully protect a site from being exploited, however.
“Hackers will still be able to upload files to the cache subdirectory and use links to them in attacks to third-party sites (iframes, scripts, malicious downloads) or just to host spammy/illegal content.”
At this time the only way to guarantee your site is safe from this vulnerability is to completely remove the WP Mobile Detector plugin.