[Resolved] Update on possible vulnerability
I am getting preliminary reports that this plugin is being used by some bad neighborhood sites as a potential attack vector. I have not confirmed what exactly is going on but as soon as I hear more I will post back.
Please make sure your wp-plugin-repo-stats folder is at 755 permission and you have upgraded to the latest version of the plugin (0.0.7 as of this writing) . Make sure you have reviewed http://codex.wordpress.org/Hardening_WordPress carefully. You may also want to use a plugin such as http://wordpress.org/extend/plugins/exploit-scanner/ to make sure your system has not been compromised. I used this on my website with 0.0.7 running and did not find any issues.
The code in this plugin is benign. It does not do any database reading or writing, other than to the wp_options table using the Settings API which most plugins do. It does not accept user input other than from the admin page, which only logged-in administrators have access to.
As soon as I find out more information I will update this post.
Sorry, I’m starting to think this is a non-issue. I am going to unstick this topic.
I just got a phishing e-mail (fake Paypal receipt for a fake evening dress) that uses this plugin. The URL constructed was as follows:
If the URL is one of those bad neighborhood sites I mentioned, then this is probably just a coincidence.
It’s a mostly unconfigured WordPress blog; it’s just got the original “Hello World” post and comment. I actually just got another nearly identical phishing email, with a similarly formatted URL, but for a different blog and different plugin. So it’s probably not directly related to this plugin.
My guess is that they are hitting some other exploit on unsecured WordPress lbogs which allows them to overwrite php files in the plugin directory and sticking some payload in there.
It’s probably set up specifically to deliver a malware payload, so no other effort was made to configure the site.
Notice that none of the links point to the existing PHP files (wp_plugin_repo_stats.php or uninstall.php). It’s always some other file (like wps.php or colors.php which is not in the download package). So it’s not like the plugin has some native vulnerability which is being exploited using query parameters.
See also http://michaelseese.blogspot.com/2013/04/paypal-spam.html, does this mean Akismet has some backdoor in it too? Doubt it. It’s probably as you say, putting files into a folder of a plugin.
I haven’t visited any of the malware URLs so I can’t even say if the plugin files are actually being used to do anything harmful.
- The topic ‘[Resolved] Update on possible vulnerability’ is closed to new replies.