Since the disclosure of a serious file-upload vulnerability in WordPress Symposium and the public availability of proof-of-concept exploit code, attacks against sites running the plug-in are starting to raise concern.
Researchers at Trustwave SpiderLabs on Tuesday said they had snared a number of exploit attempts in their honeypot, and researchers at Sucuri have been monitoring scans for the plug-in since the start of the month, almost two weeks before the Dec. 11 public disclosure by Italian researcher Claudio Viviani.
The vulnerability allows an attacker to upload files without authentication to sites running Symposium, SpiderLabs lead researcher Ryan Barnett wrote in an advisory.
In one such exploit attempt, Barnett said an attacker uploaded a PHP file that included various PHP backdoor code through which a hacker could send commands over HTTP. The file also included the WSO webshell, which provides a remote view into a server’s management interface.
According to statistics from WordPress, the plug-in has been downloaded slightly more than 150,000 times, which pales in comparison to some of the more popular plug-ins such as Aksimet (27 million downloads) and Contact Form 7 (22 million). Despite the relatively low number of downloads, the public availability of PHP exploit code and the ease in which hackers are able to locate sites running the vulnerable plug-in merits site operators evaluate the risk.
“The end goal of most of these attackers is to install webshell/backdoors so that they can have access/control on the website,” Barnett told Threatpost. “They monitor for new 0-day vulnerabilities to exploit, to then install the webshells. WP-Symposium is simply the ‘vuln of the day.'”
WSO webshell has been used by hackers before in order to gain remote control over a website; the webshell enables attackers to remotely read files and databases, execute OS level commands, install drive-by-download malware links and even attack other websites, Barnett said.
Compounding the problem is the fact that despite updated versions of the plug-in being available, Barnett said the problem persists.
“I downloaded the latest version of the code from both the WordPress website and directly from the wpsymposium site and verified that it is still vulnerable,” Barnett said.
The latest versions of WordPress Symposium from WordPress and the WPSymposium site are still vulnerable.
Tweet
Barnett said that vulnerable files are also present on the mobile version. Those files are: /wp-symposium/server/php/index.php; /wp-symposium/server/php/UploadHandler.php; /wp-symposium/mobile-files/server/php/index.php; and /wp-symposium/mobile-files/server/php/UploadHandler.php.
Researchers at Sucuri said they were able to verify similar attacks against sites running Symposium. Sucuri reports an increase in Internet scans for the plug-in starting early this month, especially after Dec. 11 when the vulnerability was publicly disclosed. The number of scans per day peaked on Monday at close to 3,800. Sucuri said the first two exploits were attempted on Dec. 1 and Dec. 9, two days before disclosure.
“Someone out there knew of this vulnerability and was actively attempting to exploit it,” Sucuri’s David Dede wrote in an advisory. “Whether it was made public via underground forums, they are the ones that found it or some other means. Either way, we were dealing with an active 0-day vulnerability.”