It seems that every time we turn around there’s another area in which someone is jumping on a new way to exploit weakness on programs on our computer, Operating Systems and even on the websites/server we use to promote out businesses. Today is no exception. There has been another serious security vulnerability in the MailPoet WordPress plugin. Unupdated versions of MailPoet allows an attacker to upload any file remotely to the vulnerable website without any type of username or password being required.
File uploads of this time are used to ad code to your site that can cause you to become a spammer, or sell products that you know nothing of, nor make any money from those sales. Basically, they can make your site open to just about anyone to do just about anything they want to do. Any way you slice it, this is a serious issue. The MailPoet plugin (wysija-newsletters) is a very popular WordPress plugin with over 1,700,000 downloads so far. This vulnerability has been patched! So, if you run the WordPress MailPoet plugin, please upgrade ASAP!
Are you affected?
If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.
The only safe version is the 2.6.7, this was just released a few hours ago (July, 1, 2014).
Why is it so dangerous?
This vulnerability gives a potential intruder the power to do anything they wants on a victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!!
Because of the nature of the vulnerability, specifically it’s severity, I won’t go into the technical details. The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.
It is a easy mistake to make and they used that hook (admin_init) to verify if a specific user was allowed to upload files.
However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated. Thus making their theme upload functionality available to everybody.
How should you protect yourself?
Again, update the plugin as soon as possible! Keeping WordPress and all plugins updated is the first step to keep your sites secured. If you don’t know how to do this, or even if you are not sure if your site us using this plugin, give us a call at 501.542.4241. We’ll help mitigate any risks.