WPtouch a WordPress plugin used by 5.5millions of sites , but the current glitch is available only in version 3.x , there is nothing to worry about 1.x and 2.x
This plugin is used to render the website content on mobile device. It can be customized easily from the administration panel without any impact on the desktop version of the theme
Security researchers at Sucuri say that only the websites that allow registration of guest users, which is generally enabled for the comments section of the site, are in danger.
An attacker could leverage the “admin_init” hook in WordPress, which is used as an authentication method to gain unrestricted access to the website by uploading a remote shell.
Compromising the web location is not complicated. The “admin_initialize()” method is called by the “admin_init” hook in the file “core/classwptouchpro.php.” The admin nonce (number used once) is then generated and included on the WordPress script queue.
“This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” says Marc-Alexandre Montpas from Sucuri in a blog post.
Basically, if an attacker logs into the website and gets the nonce via the wp-admin, they can send a file upload request that contains the nonce and the backdoor.
Montpas advises WordPress website administrators to use nonces in combination with other functions, like “current_user_can(),” in order to prevent unauthorized users from reaching sensitive areas.
A new version, 3.4.3, has been released for the WPtouch component, which fixes the current security flaw. Website administrators should update it as soon as possible in order to mitigate the risks.
The “admin_init” hook has also been used to leverage attacks through other highly popular WordPress components
At the time, Sucuri CTO Daniel Cid said that “the vulnerability resides in the fact that the developers assumed that WordPress’s ‘admin_init’ hooks were only called when an administrator user visited a page inside /wp-admin/.”