UPDATE: OptimizePress has a response and official fix here.

Thousands of WordPress sites are at risk of being hacked using a newly-discovered vulnerability in the popular OptimizePress theme.  We tried to find an official announcement of this vulnerability, but the search only turned up a PasteBin post from Nov. 23 that has since been removed.  However, the Google cache is still there as of now (included at the end of this post).  It shows the details of the vulnerability, which is very simple – you can exploit it with a browser.  The problem is in this file: wp-content/themes/OptimizePress/lib/admin/media-upload.php .  You can simply browse directly to that file, yielding a page like this:

OptimizePress-media-upload

The hacker simply has to choose a PHP file using the “Upload New Image” section and upload it.  The page then lists it, like this:

OptimizePress-media-upload2

Now the PHP file is located at /wp-content/uploads/optpress/images_comingsoon/2013112722-02-57osirt.php .  What makes this even worse is that there’s no index file or .htaccess file at /wp-content/uploads/optpress/images_comingsoon/, so hackers can search for that as part of URLs to find already-exploited sites.  A fix by OptimizePress will have to include adding index files to directories not meant to be browsed.

This is a very simple exploit, and so far we have seen only defacements (commonly “Hacked By Iwan Kaito”) performed with it.  However, it’s likely already being integrated into the scanning tools used by the serious criminals to infect sites with malware and spam.

Here are the relevant log entries from one of the recent cases.  First, the hacker locates the vulnerable page using one of the specifically-crafted Google search terms for it:

1.9.103.132 – - [27/Nov/2013:00:26:55 -0800] “GET /wp-content/uploads/optpress/images_comingsoon/ HTTP/1.1″ 200 521 “http://www.google.com/url?sa=t&rct=j&q=[...]

Next, a request and a post to it:

1.9.103.132 – - [27/Nov/2013:00:27:37 -0800] “GET /wp-content/themes/OptimizePress/lib/admin/media-upload.php HTTP/1.1″ 200 1331

1.9.103.132 – - [27/Nov/2013:00:31:39 -0800] “POST /wp-content/themes/OptimizePress/lib/admin/media-upload.php HTTP/1.1″ 200 1377

And just like that, a shell is in place:

1.9.103.132 – - [27/Nov/2013:00:31:47 -0800] “GET /wp-content/uploads/optpress/images_comingsoon/2013112708-31-46b374k.php

We just contacted OptimizePress, but so far there seems to be no announcement or update about this.  In the meantime, if you’re an OptimizePress user, we recommend you set your desired “Coming Soon” image and then rename or delete wp-content/themes/OptimizePress/lib/admin/media-upload.php .  Please note that this can be exploited if you have OptimizePress installed, even if it’s not the active theme.

One of the Google search terms available to find vulnerable sites for this hack yields “about 159,000″ results.  So this has the potential to be affect quite a few sites.  We will update with more details as they become available.  If you have OptimizePress installed and you suspect your site has been hacked through it, please feel free to contact us for our malware removal service.

Original vulnerability announcement:

#############################################################################
# Exploit Title: WordPress OptimizePress Themes File Upload Vulnerability   #
# Author: Eagle Eye                                                         #
# Date: 21/11/2013                                                          #
# Themes Link: http://www.optimizepress.com/                                #
# Infected File: lib/admin/media-upload.php                                 #
# Category: webapps                                                         #
# Google dork: inurl:/wp-content/themes/OptimizePress/                      #
#              inurl:/wp-content/uploads/optpress/                          #
# Tested on : Windows/Linux                                                 #
#############################################################################
#                                                                           #
#Exploit                                                                    #
#                                                                           #
#- Upload your shell                                                        #
#                                                                           #
#http://127.0.0.1/wp-content/themes/OptimizePress/lib/admin/media-upload.php#
#                                                                           #
#- Your shell is here                                                       #
#                                                                           #
#http://127.0.0.1/wp-content/uploads/optpress/images_comingsoon/            #
#                                                                           #
#.:: United of Muslim Cyber Army ::.                                        #
#                                                                           #
#############################################################################