WPTouch WordPress Plugin Vulnerability allows Hackers to Upload PHP backdoors
If you own a mobile version for your Wordpress website using the popular WPtouch plugin, then you may expose to a critical vulnerability that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.

WordPress is a free and an open source blogging tool as well as a content management system (CMS) with 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs.

That is why, it is easy to setup and used by more than 73 million of websites across the world, and about 5.7 million them uses WPtouch plugin, making it one of the most popular plugins in the WordPress plugin directory.

WPtouch is a mobile plugin that automatically enables a user friendly and elegant mobile theme for rendering your WordPress website contents on the mobile devices. User can easily customize many aspects of its appearance by the administration panel and deliver a fast, user-friendly and stylish version of their site to its mobile visitors, without modifying or affecting the desktop version of the theme.

Security researchers at Sucuri have warned the WordPress users to update the popular WPTouch plugin after they uncovered a security vulnerability that could allow any logged-in user, without administrative privileges, to take over the website by uploading a backdoor inside your website's directories.

The vulnerability was discovered during a routine audit for the company's web application firewall (WAF). Researchers said that only those websites that allow registration of guest users, which is by-default enabled for the comments section of the site, are at great risk.

The vulnerable version of the plugin uses the "admin_init" hook in WordPress as an authentication method, which could lead user to gain unrestricted access to the website by uploading a malicious PHP files to the server.

It is quite simple to compromise the web location. The "admin_initialize()" method is called by the "admin_init" hook in the file "core/classwptouchpro.php." The admin nonce (number used once) is then generated and included on the WordPress script queue.
"This nonce was also used to verify whether or not a user could upload files to the server. As the script didn't use any other form of identification to check or authenticate the user's privilege to upload files, it was possible for any user to complete the upload in there," says the blog post.
All an attacker had to do in order to compromise a vulnerable website was to:
  • Log­in and get his nonce via wp-admin
  • Send an AJAX file upload request containing the leaked nonce and his backdoor
"So long story short – don't only use nonces to protect sensitive methods, always add functions such as "current_user_can()" or the likes to confirm a user's right to do something."
The current security vulnerability only affects websites running the plugin versions 3.x. So, the users and website administrators who relies on the previous version have nothing to worry about, but they should update regardless.

The issue with WPTouch is not the only security vulnerability researchers at Sucuri have discovered. At the beginning of June, Sucuri found two serious vulnerabilities in the popular WordPress SEO plugin called "All in One SEO Pack"

The security team also discovered a critical Remote Code Execution (RCE) flaw in 'Disqus Comment System' Plugin of Wordpress few weeks before.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.