CVE-2016-15043
BaseFortify
Publication date: 2025-07-19
Last updated on: 2025-12-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_mobile_detector_project | wp_mobile_detector | to 3.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2016-15043 is a critical vulnerability in the WP Mobile Detector WordPress plugin (versions up to 3.5) that allows unauthenticated attackers to upload arbitrary files to the server. The flaw exists in the resize.php file, which accepts a 'src' parameter without proper validation or sanitization. This parameter is used to fetch and save files from remote URLs or local paths into the plugin's cache directory. Because there is no file type validation, attackers can upload malicious files such as PHP web shells, enabling remote code execution on the affected server. [1, 3, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to upload and execute malicious code on your WordPress server without authentication. This can lead to full remote code execution, enabling attackers to take control of your website, deface it, steal data, install backdoors, or use your server for malicious activities such as spam, hosting illegal content, or SEO spam campaigns. The exploit is easy to perform and bypasses many common WordPress security measures, making affected sites highly vulnerable to compromise. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable WP Mobile Detector plugin versions up to 3.5 on your WordPress site, especially the resize.php file in the plugin directory. You can look for suspicious files in the /wp-content/plugins/wp-mobile-detector/cache/ directory, such as unexpected PHP files or backdoors. Network detection can involve monitoring HTTP requests to URLs like /wp-content/plugins/wp-mobile-detector/resize.php with a 'src' parameter pointing to external URLs. Commands to detect suspicious files include: 1) Listing files in the cache directory: `ls -la wp-content/plugins/wp-mobile-detector/cache/` 2) Searching for PHP files in the cache directory: `find wp-content/plugins/wp-mobile-detector/cache/ -name '*.php'` 3) Checking web server access logs for requests to resize.php with 'src' parameter: `grep 'resize.php?src=' /var/log/apache2/access.log` or equivalent. Additionally, scanning for unusual .htaccess files or directories created by attackers (e.g., directories like gopni3g) is recommended. [3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Remove or disable the WP Mobile Detector plugin entirely, as it has been removed from the WordPress repository and is no longer supported. 2) If the plugin must remain temporarily, disable PHP execution in the plugin's cache directory by adding an .htaccess file with the following content to the /wp-mobile-detector/cache/ directory: <Files *.php> deny from all </Files> This prevents execution of uploaded malicious PHP files but does not stop uploads themselves. 3) Revoke write permissions on the cache directory to prevent file uploads, though this may break plugin functionality. 4) Perform a thorough site cleanup if infection is suspected, including removing backdoors, scanning for malicious files, and checking for unauthorized admin accounts or database changes. 5) Consider using web application firewalls or monitoring tools to block exploitation attempts. Ultimately, complete removal of the plugin is the only reliable solution until a proper fix is available. [3, 4]