14 DAY TRIAL // The MailPoet plugin for the WordPress blogging platform has been found to be vulnerable to an exploit that allows a potential attacker to upload any file to the affected website, without having to provide any authentication credentials.
The plugin has been downloaded more than 1.7 million times, and its popularity is owed to the fact that it facilitates the sending of newsletters to subscribers, it allows to post notifications and get auto-responders from WordPress-powered websites.
Daniel Cid, CTO of security company Sucuri, who specializes in providing services for protecting websites, offered no technical details due to the severity of the issue.
However, he said that the weakness stemmed from the false assumption that “admin_init” hooks were called only when an admin visited a page in the “/wp-admin/” folder. In fact, “any call to ‘/wp-admin/admin-post.php’ also executes this hook without requiring the user to be authenticated.”
This opens the door for anyone to upload any type of files on the website. The security risk is evident, since cybercriminals can profit from the vulnerability to compromise reputable websites and use them to eliminate phishing suspicions for potential victims.
“This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!!” said Cid in a company blog post.
It seems that all versions of the plugin are vulnerable, except for the latest one; only an update to build 2.6.7 eliminates the risk of abuse.
Given the extensive popularity of the component, users that have it enabled should waste no time to perform the update.
This vulnerability report for a WordPress component is the second one in about a week. Last week, the same company broke the news that TimThumb’s Webshot feature allowed a potential attacker to execute certain commands on the affected websites. In both cases, no authentication was necessary.
The level of impact is much different, though, because in the case of TimThumb the feature was still in beta stage of development and it had to be enabled by the administrator.
Considering that MailPoet has over 1.7 million downloads, the number of potential victims is significantly higher.
Daniel Cid recommends keeping both WordPress and the additional components that extend its functionality updated to the latest version in order to maintain the security of the website.