The security research team at Sucuri has discovered a vulnerability in the popular WordPress MailPoet Plugin, formerly known as WYSIJA Newsletters. The bug leaves MailPoet open to an attack wherein a file can be uploaded remotely without authentication. Sucuri is classifying this as a serious vulnerability and recommends an immediate update for anyone using the plugin.
If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable.
Details of the Vulnerability
The bug essentially allows any intruder to upload a PHP file without having any user permissions on the site, opening the door for sending spam, hosting malware, or any other similarly malicious intent.
The plugin’s developer was using the admin_init hook to verify if the user was allowed to upload files, Sucuri explained in the disclosure. “However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated, thus making the theme upload functionality available to everybody.” Plugin developers are encouraged to take note of how easily this simple error can create a vulnerability.
MailPoet has been downloaded more than 1.7 million times and is used on thousands of WordPress sites. The only safe version is 2.6.7, which was released today with the patch for the vulnerability. If your site or your clients’ sites are using this plugin, an immediate update is recommended.