Users of the popular MailPoet plugin for WordPress are being urged to update it after it was revealed that up to 50,000 websites may have been compromised.
As I reported at the beginning of June, the vulnerability in MailPoet allows attackers to remotely upload files to a website without the need for authentication.
MailPoet released an update the same day but I wondered then whether it had been sufficiently well publicised. Now, according to Sucuri, the security firm that first flagged the vulnerability, we have our answer.
The plugin, which has been downloaded close to two million times, has not been updated by all. According to Sucuri, thousands of WordPress sites have been compromised since they first discovered the vulnerability, with hackers taking advantage of the flaw to inject malware into them.
The attack begins with the uploading of a custom and malicious theme. Once in place, the attackers have a backdoor into the site which affords them full control over it.
As part of the process, several core WordPress files become corrupted, causing PHP error messages to appear on affected websites. Therefore blog owners who do not have a good backup strategy are especially at risk from this attack.
Daniel Cid, CTO of security firm Sucuri, explained that it is not only websites that have MailPoet installed that are at risk though:
“To be clear, the MailPoet vulnerability is the entry point. It doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.”
Speaking to PC World, Cid further explained that:
“On most shared hosting companies—GoDaddy, Bluehost, etc.—one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account.
If the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server.”
If you use the plugin on your own personal or business blog you have two choices – either disable and uninstall the plugin or update to the latest version (2.6.7).
If you choose the latter option then the update process is quite simple:
Navigate to your blog’s Dashboard
From there, click on Plugins > Update Available and look for the MailPoet plugin. Directly underneath it you will see the option to ‘upgrade now’. Click on that and follow the instructions.
Alternatively, you can find the plugin via WordPress.org (click here), download the latest version and then follow the installation guide.
As ever, I would advise running a full backup of your site before making any changes such as updating core files or plugins and, if you don’t already have one, now would also be a good time to implement a regular backup schedule, just in case anything does ever go wrong in the future (the popularity of WordPress ensures that it is often a target for fake and corrupted plugins).