The research team at Sucuri has identified a vulnerability found in the very popular WordPress plugin—MailPoet Newsletters. An announcement by Sucuri urges those running the MailPoet Newsletters plugin to update immediately!
The flaw was discovered by Marc-Alexandre Montpas, a member of the Sucuri research team, a few weeks ago, and was immediately reported to the MailPoet team. Earlier today, 2.6.7 was released, which includes a patch for the vulnerability and is the only safe version available.
The flaw enables attackers to upload any PHP file to vulnerable sites. The site can then be used by the attacker to distribute SPAM, host malware, infect other customers, and more. Sucuri indicated that because of the severity of the vulnerability, no additional technical details will be disclosed.
The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.
According to Sucuri, this is a very serious vulnerability, and “if you have this plugin activated on your website, the odds are not in your favor.”
Due to the tremendous popularity of the MailPoet Newsletters Plugin, with some 1.7 million downloads, it’s likely this vulnerability has affected many sites. The only way to ensure your site’s safety is to upgrade it as soon as possible!
Marie Dodson is the assistant editor at Torque. She graduated from Cornell University with a degree in Biology and Society. She enjoys wine, good books, and travel.