Vulnerability in WPTouch WordPress Plugin Allows Hackers to Upload PHP backdoors
Security researchers at Sucuri have warned the WordPress users to update the popular WPTouch plugin after they uncovered a security vulnerability that could allow any logged-in user, without administrative privileges, to take over the website by uploading a backdoor inside your website’s directories.
The vulnerability was discovered during a routine audit for the company’s web application firewall (WAF). Researchers said that only those websites that allow registration of guest users, which is by-default enabled for the comments section of the site, are at great risk.
The vulnerable version of the plugin uses the “admin_init” hook in WordPress as an authentication method, which could lead user to gain unrestricted access to the website by uploading a malicious PHP files to the server.
It is quite simple to compromise the web location. The “admin_initialize()” method is called by the “admin_init” hook in the file “core/classwptouchpro.php.” The admin nonce (number used once) is then generated and included on the WordPress script queue.
“This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” says the blog post.
All an attacker had to do in order to compromise a vulnerable website was to:
- Login and get his nonce via wp-admin
- Send an AJAX file upload request containing the leaked nonce and his backdoor
“So long story short – don’t only use nonces to protect sensitive methods, always add functions such as “current_user_can()” or the likes to confirm a user’s right to do something.”
The current security vulnerability only affects websites running the plugin versions 3.x. So, the users and website administrators who relies on the previous version have nothing to worry about, but they should update regardless.
The issue with WPTouch is not the only security vulnerability researchers at Sucuri have discovered. At the beginning of June, Sucuri found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack”
Gloss