SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


WordPress Mobile App Native Plugin Vulnerability Leads to Web Site PWNage (Mar 03, 2017)



Description


The Mobile App Native Plugin for WordPress lets you turn your website into a mobile application in just a few minutes. Recently, there was a vulnerability discovered that allows attackers to execute remote code.

It turns out that the plugin does not:

  1. Require authentication for file uploads. Any user can upload any file, be it text, image or even executable.
  2. 2. Check if the uploaded file contains executable code.

Given the above, any user can simply upload a php file that allows for code execution. This is similar to the backdoor.php file shown in How To Own A Web Server By Writing An Email (Jan 4, 2017)

Once the backdoor.php has been successfully uploaded, the attacker can, then go to it and perform any malicious actions he or she wishes.

SonicWALL Threat Research Team has researched this vulnerability and have the following signatures in place to protect their customers:

© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.3 | S2MSW06