WordPress plugin WPtouch insecure nonce generation
Description
The WPtouch WordPress plugin contains a critical security flaw in its nonce (number used once) generation mechanism. Nonces are security tokens used to protect against Cross-Site Request Forgery (CSRF) attacks by ensuring requests originate from authenticated users. Due to weak or predictable nonce generation in affected versions, authenticated users with low-privilege roles (such as subscribers or authors) can bypass security controls and upload arbitrary PHP files to the server, effectively circumventing WordPress's built-in upload restrictions.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action:
• Update WPtouch to version 3.4.3 or later through the WordPress admin panel (Plugins → Installed Plugins → WPtouch → Update Now)
• Alternatively, if automatic updates are disabled, download the latest version from the official WordPress plugin repository and install manually
2. Verification Steps:
• After updating, verify the installed version by navigating to Plugins → Installed Plugins and confirming WPtouch shows version 3.4.3 or higher
• Review server logs and uploaded files for any suspicious PHP files created by unauthorized users
• Check for any newly created administrative accounts that may indicate prior exploitation
3. Additional Security Measures:
• If user registration is not required for your website's functionality, disable it under Settings → General → Membership
• Implement file upload restrictions at the web server level to prevent PHP execution in upload directories
• Consider implementing additional security plugins that monitor file changes and user activity
4. If Unable to Update:
• Disable the WPtouch plugin immediately until you can update to a secure version
• Consider alternative mobile optimization solutions if WPtouch cannot be updated