Critical Vulnerability Found In Popular WordPress Newsletter Plugin

SMS Text
Critical Vulnerability Found In Popular WordPress Newsletter Plugin

Web security firm, Sucuri, found a critical vulnerability in a WordPress plug-in that has over 1.7 million downloads. The vulnerability allows potential attackers to take complete control of blogs that have the plugin installed.

The vulnerability was found in the MailPoet Newsletters plug-in, previously known as wysija-newsletters, and should be taken very seriously.

This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website… It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, hosting malware, infecting other customers (on a shared server), and so on!

The good news is that the vulnerability has already been patched in the latest version of MailPoet (version 2.6.7), released Tuesday. If you use this plugin you should upgrade to the latest version as soon as possible.

Sucuri’s CTO, Daniel Cid, says that the flaw resulted from the MailPoet developers wrongly assuming that the “admin_init” hook in WordPress is only triggered when an administrator visits pages inside /wp-admin/.

The MailPoet developers used admin_init to verify whether the active user is allowed to upload files. However, as the hook is also triggered by a page accessible to unauthenticated users, the plug-in’s file upload functionality was essentially available to anyone.

Apparently, this is an easy mistake to make. Cid recommends to developers, “If you are a developer, never use admin_init() or is_admin() as an authentication method.”

As for WordPress administrators, keeping WordPress and all plugins updated is the first step to keep your sites secured.

Matt Southern
Matt Southern has been the lead news writer at Search Engine Journal since 2013. His passion for helping people in all aspects of online marketing... Read Full Bio
Matt Southern
Subscribe to SEJ!
Get our weekly newsletter from SEJ's Founder Loren Baker about the latest news in the industry!