Hackers are attacking the social networking plug-in WP Symposium for the blogging platform WordPress, according to security firm Trustwave.
Web honeypots controlled by the firm started detecting exploit attempts against the plug-in after it was publicly disclosed, with attackers abusing a function that allows files to be uploaded to a website without relevant restrictions being applied.
In one example given by Trustwave, the hackers uploaded a PHP file that included backdoor code which allowed attackers to send malicious HTTP commands.
David Dede, a Security Researcher in the SucuriLabs group, said: "This is the kind of discovery that keeps us up late at night, and why we invest heavily in our routine audits."
He said that it was "a classic example" of what hackers can do with a website, adding that it raised questions for web admins over what they were doing to mitigate against such threats.
Data gathered by SucuriLabs indicated that after the public disclosure of the bug on December 11, scans searching for WP Symposium had leapt to as many as 4,000 per day.
The plug-in has been downloaded more than 150,000 times according to the official WordPress directory, with the extension rated four out of five stars by users.
Content from our partners
