The plugin has been downloaded more than 1.7 million times, and its popularity is owed to the fact that it facilitates the sending of newsletters to subscribers, it allows to post notifications and get auto-responders from WordPress-powered websites.
Daniel Cid, CTO of security company Sucuri, who specializes in providing services for protecting websites, offered no technical details due to the severity of the issue.
However, he said that the weakness stemmed from the false assumption that “admin_init” hooks were called only when an admin visited a page in the “/wp-admin/” folder. In fact, “any call to ‘/wp-admin/admin-post.php’ also executes this hook without requiring the user to be authenticated.”
This opens the door for anyone to upload any type of files on the website. The security risk is evident, since cybercriminals can profit from the vulnerability to compromise reputable websites and use them to eliminate phishing suspicions for potential victims.
“This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!” said Cid in a company blog post.
It seems that all versions of the plugin are vulnerable, except for the latest one; only an update to build 2.6.7 eliminates the risk of abuse.
This vulnerability report for a WordPress component is the second one in about a week. Last week, the same company broke the news that TimThumb’s Webshot feature allowed a potential attacker to execute certain commands on the affected websites. In both cases, no authentication was necessary.
MailPoet has over 1.7 million downloads, the number of potential victims is significantly higher.
Daniel Cid recommends keeping both WordPress and the additional components that extend its functionality updated to the latest version in order to maintain the security of the website.