If you have responsibility for a corporate blog (or run your own) and it runs on WordPress and has a newsletter then I would suggest that you check how your newsletters are handled.
If you find that your blog relies upon MailPoet (a plugin that has been downloaded over 1.7 million times) then you need to be aware that a vulnerability was discovered yesterday which allows a hacker to upload just about anything to the affected site without any form of authentication being required.
Daniel Cid, CTO of Sucuri, gave the following warning in a blog post:
“If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.”
Sucuri researchers, who kept most of the technical details to themselves for obvious reasons, said that the vulnerability allows a potential attacker to do just about anything on his victim’s website, such as sending out spam, affecting other sites on the same shared host, acting as a lure for phishing attacks and hosting malware directly.
Cid explained that:
“The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.
It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.
However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.”
Cid goes on to say that the research team shared their findings with the plugin author a few weeks ago and, to their credit, they responded well and issued a new patched version (2.6.7) yesterday. Unfortunately, however, the author makes little mention of the security issue, bar one line in the changelog, so its quite likely that a large number of users may not be aware of the pressing need to install the latest version.
If you are using the MailPoet plugin then you should check now that you have the latest version installed.
If you don’t then you can navigate to your blog’s Dashboard.
From there, click on Plugins > Update Available and look for the MailPoet plugin. Directly underneath it you will see the option to ‘upgrade now’. Click on that and follow the instructions.
Alternatively, you can find the plugin via WordPress.org (click here), download the latest version and then follow the installation guide.
As ever, I would advise running a full backup of your site before making any changes such as updating core files or plugins and, if you don’t already have one, now would also be a good time to implement a regular backup schedule, just in case anything does ever go wrong in the future (WordPress is a popular target for attackers and this isn’t the first time that a noteworthy plugin has had issues lately).