1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Attack: Wordpress WP Mobile Detector Arbitrary Upload

Attack: Wordpress WP Mobile Detector Arbitrary Upload

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

An attacker can exploit this issue to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access to the application; other attacks are also possible.

Additional Information

WP Mobile Detector plugin is a plugin for WordPress content manager.

WP Mobile Detector plugin is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input supplied to the 'resize.php' script. The 'timthumb.php' script is also affected because it includes 'resize.php' script.

Note: For the successful exploitation of this issue, 'allow_url_fopen' option should be enabled.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Affected

  • Versions prior to WP Mobile Detector 3.6 are vulnerable.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube