As we continue looking at ways we can improve the security of WordPress plugins, one of the thing we are trying is checking over plugins that we have recently added new vulnerabilities to our data set to see if we can find any other obvious vulnerabilities. The second we have spotted is in the plugin WP Mobile Detector. Unlike the arbitrary file upload vulnerability we spotted after some was looking to exploit it on this website, this cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability on the settings page for the plugin is unlikely to be exploited.
When it comes to the discussion of WordPress security one thing that stands out for us is how much of what is being said seems to be, at best, not backed by factual information and in too many cases seems to be backed by outright falsehoods. So that makes gathering and analyzing data on security issues a much needed activity.
A few days ago we had a HEAD request for the file /blog/wp-content/plugins/wp-mobile-detector/resize.php, which is a file in the plugin WP Mobile Detector. Since we didn’t have that plugin installed that most likely explanation for that was someone was checking for the existence of the file before trying to exploit a vulnerability in the plugin. Looking around we couldn’t find any public information disclosure of vulnerability involving that particular file, but a quick look at the file showed that plugin has an arbitrary file upload vulnerability. The severity of the vulnerability is lessened by the fact that it requires the server to have an option enabled that introduces the potential for security risks like this.