In the last several days someone started making requests using Tor nodes for the file /wp-content/plugins/image-clipboard/readme.txt, which is a file from the WordPress plugin Clipboard Images. That would likely be a hacker probing for usage of the plugin, which has 800+ active installations according to wordpress.org, before exploiting a vulnerability in it. After we noticed that activity this morning we went to look over the code to see if we could find a vulnerability that hackers would be likely to exploit in it and it took only moments to find what in all likelihood is already being exploited.

Making that relatively easy to do is the plugin only contains a single function that contains any code of a substantial nature. That function is named save_image() and it is accessible through WordPress AJAX functionality to those logged in as well as those not logged in to WordPress: [Read more]