Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Spam The Internet Communications Network Networking Privacy

WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin (softpedia.com) 50

An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugin's developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.org's Plugin Directory on May 31. In the meantime, security firm Sucuri says it detected numerous attacks with this zero-day, which was caused by a lack of input filtering in an image upload field that allowed attackers to upload PHP backdoors on the victim's servers with incredible ease and without any tricky workarounds. The backdoor's password is "dinamit," the Russian word for dynamite.
This discussion has been archived. No new comments can be posted.

WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin

Comments Filter:
  • Jimmie Walker
  • Well, yeah (Score:2, Insightful)

    by AlphaBro ( 2809233 )
    This isn't really news, Wordpress plugins are notoriously insecure. It would be more surprising if someone found one that wasn't rife with vulnerabilities. Fortunately, 10,000 sites is a tiny user base compared to a lot of plugins.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Try telling that to a Business head who praises how great Wordpress is and how its the only platform they consider to use. I tell all potential customers to stay away from Wordpress and if I'm asked to work with it I tell them I'm not interested in the job *.

      I've administered enough cPanel servers to know the extent and damage of wild Wordpress exploits and quite frankly cannot for the life of me understand why it gets chosen as a preferred platform of use.

      * Yes I like money. No I don't deal with cheapskate

  • by LordThyGod ( 1465887 ) on Friday June 03, 2016 @09:04PM (#52246719)
    Over 2000 installations! Jesus F. Christ! Just think of the damage this could do.
  • With 20 million+ WordPress sites out there and some are even useful and successful, the call to get rid of the platform can only be called hyperbololic drama queening. However, someone stole my wallet three days ago and all my money inside it. I also know others this has happened to over the years I have been alive. I stand before you asking for your help in making wallets and money obsolete. It's just too big of a risk for humanity to allow those two items to co-exists. Better to banish both. Stand with me
  • Why doesn't PHP (and other web scripting languages) require the execute bit on those scripts? Surely this would make is considerably harder to inject a script.

    Anyone know the reason for this because I can't be the first person to think this?!
  • The password is "dinamit" not "dinamit,". That's a quite important distinction. Broken XIX-century colonial style needs to die.

  • It just makes it no longer appear in the repository. No one gets notified the plugin is insecure, or that it has been removed from the repository at all. It just remains in 100,000 WordPress installations, unmaintained, forever.

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...