Critical Vulnerability Found In Popular WordPress Newsletter Plugin

SMS Text

Web security firm, Sucuri, found a critical vulnerability in a WordPress plug-in that has over 1.7 million downloads. The vulnerability allows potential attackers to take complete control of blogs that have the plugin installed.

The vulnerability was found in the MailPoet Newsletters plug-in, previously known as wysija-newsletters, and should be taken very seriously.

This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website… It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, hosting malware, infecting other customers (on a shared server), and so on!

The good news is that the vulnerability has already been patched in the latest version of MailPoet (version 2.6.7), released Tuesday. If you use this plugin you should upgrade to the latest version as soon as possible.

Sucuri’s CTO, Daniel Cid, says that the flaw resulted from the MailPoet developers wrongly assuming that the “admin_init” hook in WordPress is only triggered when an administrator visits pages inside /wp-admin/.

The MailPoet developers used admin_init to verify whether the active user is allowed to upload files. However, as the hook is also triggered by a page accessible to unauthenticated users, the plug-in’s file upload functionality was essentially available to anyone.

Apparently, this is an easy mistake to make. Cid recommends to developers, “If you are a developer, never use admin_init() or is_admin() as an authentication method.”

As for WordPress administrators, keeping WordPress and all plugins updated is the first step to keep your sites secured.

Matt Southern

Matt Southern

Lead News Writer
Matt Southern is the lead news writer at Search Engine Journal. His passion for helping people in all aspects of online marketing flows through in the expert industry coverage he provides.
Matt Southern
Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • David Trounce

    Thanks for the Heads up, Matt.

  • Kolleen

    I Have mail Poet installed on about 12 client websites! I think I need to go make sure they have been updated. thanks for the heads up!

  • Joel

    Very useful information that you share Matt, I believe as a wordpress user we need to test a plugin’s quality before implenting it on our website.