Watch out for WordPress plugin vulnerabilities

A vulnerable plugin in WordPress has become the recent target of automated attacks by hackers. WordPress plugins are unfortunately a common vulnerability source, because they are sometimes written by inexperienced PHP developers who are not necessarily security-minded, and this can lead to some embarrassing security mistakes.

The plugin in question is called Timthumb, which is a plugin for resizing images in WordPress. Timthumb has a gaping vulnerability in its file upload script that allows for arbitrary PHP code execution, and since it does not validate its upload form, the code could come from any source, including a malicious remote server.

The SpiderLabs blog has an in-depth analysis of an example payload culled from a honeypot machine loaded with a stock version of WordPress with the Timthumb plugin installed. The payload contains a forged GIF image header (to pass simple image validators), and then a PHP script which installs a backdoor application on the infected host. The backdoor can then be used to steal information from the machine, or force it to participate in a botnet.

If you use WordPress, it is imperative that you identify and uninstall any vulnerable plugins immediately using WPScan. Be on the lookout for security flaws in WordPress plugins, because they are a common target for hackers.