Websites that run on WordPress and have downloaded the very popular MailPoet plug-in are susceptible to cyber infiltration and hackers could garner complete access to websites and take them over, according to a blog post from researchers.
Daniel Cid, CTO of security firm Sucuri, warned in a blog post Tuesday that the bug in the plug-in can permit cyber attackers to upload any file they want to vulnerable servers. The plug-in, which offers websites the ability to produce newsletters and post notifications and responses, has been downloaded approximately 1.7 million times.
The bug was first noticed last month.
He refrained from providing further details about the breach, but did note that the bug’s origin is the result of a false assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. According to Cid, the only safe version of the file is the newly released 2.6.7, which he urges everyone to download immediately because it comes with a patch.
“If you have this plugin activated on your website, the odds are not in your favor. An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable,” stated Cid.
Although it’s a mistake that is easy to make, Cid recommends each plug-in developer to never utilize admin_init() or is_admin() for any sort of authentication method.
“This bug should be taken seriously,” Cid wrote. “It gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host[ing] malware, infect[ing] other customers (on a shared server), and so on!!”
It was noted by PC World that attackers scan the Internet every single day to search for WordPress installations that are affected by vulnerabilities akin to the issue discovered in MailPoet.
Last week, for instance, it was reported that the TimThumb plug-in, a feature that allows publishers to resize images, had been vulnerable because the webshot function produces a method to insert spurious code onto at risk websites. With this openness, researchers note hackers can create, remove or revise any files they want.
Plug-in developers were proactive and acted quickly as they released a patched TimThumb version 2.8.14.
“The good news is that Timthumb comes with the webshot option disabled by default, so just a few Timthumb installations are vulnerable,” averred Cid in a separate blog post. “However, you have to check if your timthumb file does not have this option enabled to prevent it from being misused. Open your timthumb file (inside your theme or plugin) and search for ‘WEBSHOT_ENABLED’ and make sure it is set to ‘false.’”
In the end, this should serve as a warning for all WordPress users who maintain plug-ins to update them on a regular basis. WordPress websites remain to be one of the most frequent targets for cyber criminals. Websites that become victims are then used by the hackers to host spam pages and malevolent content as part of other attacks.