Web security firm, Sucuri, found a critical vulnerability in a WordPress plug-in that has over 1.7 million downloads. The vulnerability allows potential attackers to take complete control of blogs that have the plugin installed.
The vulnerability was found in the MailPoet Newsletters plug-in, previously known as wysija-newsletters, and should be taken very seriously.
This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website… It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, hosting malware, infecting other customers (on a shared server), and so on!
The good news is that the vulnerability has already been patched in the latest version of MailPoet (version 2.6.7), released Tuesday. If you use this plugin you should upgrade to the latest version as soon as possible.
Sucuri’s CTO, Daniel Cid, says that the flaw resulted from the MailPoet developers wrongly assuming that the “admin_init” hook in WordPress is only triggered when an administrator visits pages inside /wp-admin/.
The MailPoet developers used admin_init to verify whether the active user is allowed to upload files. However, as the hook is also triggered by a page accessible to unauthenticated users, the plug-in’s file upload functionality was essentially available to anyone.
Apparently, this is an easy mistake to make. Cid recommends to developers, “If you are a developer, never use admin_init() or is_admin() as an authentication method.”
As for WordPress administrators, keeping WordPress and all plugins updated is the first step to keep your sites secured.