A recently discovered vulnerability in WPtouch, a popular plugin that’s used to create simple themes for the mobile visitors of WordPress websites, can be leveraged by an attacker to upload PHP files to impacted servers, Sucuri reported on Monday.
According to the security firm, an attacker can take control of WordPress websites by uploading PHP backdoors and other pieces of malware to the site’s directories.
The flaw, which is located in the “core/classwptouchpro.php” file, can only be exploited on websites that allow guest users to register, Sucuri researchers said. In this classwptouchpro.php file, the admin_initialize() method is called by the “admin_init” hook, the use of which recently led to a file upload vulnerability in a different popular WordPress plugin.
The problem is related to the nonce, a WordPress-generated string that acts as a special token and is utilized to identify the user performing a specific operation, like the deletion of a post or the submission of a form. Nonces are designed to protect websites against hacker attacks, but according to Sucuri experts, they should always be accompanied by other functions when used for securing sensitive methods.
“[The admin nonce] was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” Sucuri’s Marc-Alexandre Montpas explained in a blog post.
In order to compromise a website, an attacker simply needs to log in to his account, get the nonce via wp-admin, and send an AJAX file upload request containing the nonce and the backdoor, Montpas said.
The plugin has been downloaded more than 5.6 million times from the official WordPress website, so the number of potential victims for such an attack is high. Fortunately, WPtouch developers quickly addressed the issue with the release of version 3.4.3 after being notified by Sucuri. It’s worth noting that the flaw affects only versions 3.x of WPtouch; older versions like 1.x and 2.x are not impacted.