We’ve discussed WPtouch before — it’s a useful plugin for easily equipping a WordPress site with a mobile theme and touch functionality. It was recently reported by the folks over at Sucuri that the plugin contains a vulnerability that could be exploited by users without administrative privileges to upload PHP files to a server.
It’s a serious vulnerability that could allow the addition of PHP backdoors and other malware to a site — if a malicious party can add arbitrary code, they more or less own the site.
Users of 3.x versions lower than 3.4.3 of WPtouch are vulnerable. The fix is contained in versions 3.4.3 and later. WPtouch users should update immediately using the update functionality in the WordPress admin interface. Users of the 1.x and 2.x versions are not vulnerable to this particular exploit. Read more