WordPress Sites Under Attack From New Zero-Day In WP Mobile Detector Plugin

An anonymous reader writes: A large number of websites have been infected with SEO spam thanks to a new zero-day in the WP Mobile Detector plugin that was installed on over 10,000 websites. The zero-day was used in real-world attacks since May 26, but only surfaced to light on May 29 when researchers notified the plugin's developer. Seeing that the developer was slow to react, security researchers informed Automattic, who had the plugin delisted from WordPress.org's Plugin Directory on May 31. In the meantime, security firm Sucuri says it detected numerous attacks with this zero-day, which was caused by a lack of input filtering in an image upload field that allowed attackers to upload PHP backdoors on the victim's servers with incredible ease and without any tricky workarounds. The backdoor's password is "dinamit," the Russian word for dynamite.

Re:Well, yeah

Try telling that to a Business head who praises how great Wordpress is and how its the only platform they consider to use. I tell all potential customers to stay away from Wordpress and if I'm asked to work with it I tell them I'm not interested in the job *.

I've administered enough cPanel servers to know the extent and damage of wild Wordpress exploits and quite frankly cannot for the life of me understand why it gets chosen as a preferred platform of use.

* Yes I like money. No I don't deal with cheapskates that choose to cut corners.