WPTouch is a plugin for WordPress that automatically enables a mobile theme for those who may be visiting your site on a smartphone or tablet. With five million downloads to date, it’s one of the most popular plugins in the WordPress plugin directory. Earlier today, Sucuri reported that WPTouch has a dangerous security vulnerability, and users are strongly advised to update immediately. The short version is, unless you’re running the latest update, WPTouch allows users who do not have administrative priveliges to upload php scripts directly to the server, meaning that someone with not-so-good intentions has the capability to take over any site running anything but the latest version of the WPTouch plugin.
The unpatched version of the plugin uses the “admin_init” hook as its authentication method. As was discussed previously, “admin_init” should not be used as an authentication method because it is invoked not only when an administrative user visits any page within wp-admin, but also when wp-admin/admin-post.php is visited, thus allowing anyone to upload potentially malicious code to an effected site.
If you’re using this plugin to create a mobile-friendly experience for your users, update it as soon as possible. Sucuri made the vulnerability known to the authors of the plugin, and they have uickly released a patch to the plugin directory. the only thing users of the pugin need do is update to the latest version.