CVE-2016-15043
📋 TL;DR
The WP Mobile Detector WordPress plugin allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the resize.php file. This vulnerability affects versions up to and including 3.5, potentially leading to remote code execution on vulnerable WordPress sites.
💻 Affected Systems
- WP Mobile Detector WordPress Plugin
📦 What is this software?
Wp Mobile Detector by Wp Mobile Detector Project
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for malicious activities.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or install cryptocurrency miners on vulnerable servers.
If Mitigated
If proper file upload validation and web application firewalls are in place, exploitation attempts are blocked and logged for investigation.
🎯 Exploit Status
Exploits have been observed in the wild since 2016. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.6 and later
Vendor Advisory: https://wordpress.org/plugins/wp-mobile-detector/changelog/
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Mobile Detector
4. Click 'Update Now' if available
5. If no update appears, manually download version 3.6+ from WordPress.org
6. Deactivate and delete old version
7. Upload and activate new version
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WP Mobile Detector plugin until patched
wp plugin deactivate wp-mobile-detector
Block access to resize.php
linuxAdd web server rule to block direct access to the vulnerable file
# Apache: Add to .htaccess
<Files "resize.php">
Order Allow,Deny
Deny from all
</Files>
# Nginx: Add to server block
location ~* /wp-content/plugins/wp-mobile-detector/resize\.php$ {
deny all;
return 403;
}
🧯 If You Can't Patch
- Immediately deactivate and remove the WP Mobile Detector plugin from all WordPress installations
- Implement a web application firewall (WAF) with file upload protection rules to block exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → WP Mobile Detector version. If version is 3.5 or lower, the site is vulnerable.Check Version:
wp plugin get wp-mobile-detector --field=versionVerify Fix Applied:
Confirm WP Mobile Detector version is 3.6 or higher in WordPress admin panel. Test file upload functionality if available.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-content/plugins/wp-mobile-detector/resize.php with file upload parameters
- Unusual file creations in wp-content/uploads directory with PHP extensions
- Web server error logs showing 403/500 errors for resize.php access attempts
Network Indicators:
- HTTP POST requests to resize.php endpoint with file upload content
- Traffic patterns showing file uploads to plugin directories
SIEM Query:
source="web_server_logs" AND (uri="*resize.php" OR uri="*/wp-mobile-detector/*") AND (method="POST" OR status="200")🔗 References
- https://aadityapurani.com/2016/06/03/mobile-detector-poc/
- https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
- https://wordpress.org/plugins/wp-mobile-detector/changelog/
- https://wpscan.com/vulnerability/e4739674-eed4-417e-8c4d-2f5351b057cf
- https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a5d5dbd-36f0-4886-adf8-045ec9c2e306?source=cve
