We are reaching out to you today because we (in conjunction with our partners) have noticed an increase in the number of websites infected with SEO Spam, and the attack vector is the WP Mobile Detector plugin. The plugin has a new Zero Day vulnerability allowing attacker to exploit a Arbitrary File Upload (AFU) vulnerability. A patch for this plugin has been released. Please update as soon as possible, patched version is 3.6, latest version is 3.7.
The zero day was disclosed May 31st, and we were able to track live attacks going back to May 27th. All customers using the Laughing Rock Web Firewall have been protected since May 27th. We have actively tested the most popular application level security plugins for WordPress and the exploits are evading their prevention controls.
The vulnerability is very easy to exploit. All the attacker needs to do is send a request to resize.php or timthumb.php (yes, timthumb, in this case it just includes resize.php), inside the plugin directory with the backdoor URL.
It’s imperative that if you are using this plugin on your WordPress website that you update it immediately. If you need assistance with this, please contact our office to have an engineer assist you.
If you are on an unlimited web contract with Laughing Rock, your plugins have already been updated and your site is not effected by this exploit. Thanks and safe surfing!
* A special thanks to our friends at Sucuri for bringing this to our attention.