Version 2.6.7 of the MailPoet plugin fixes a severe vulnerability that could allow an attacker to take over WordPress sites.
Version 2.6.7 of the MailPoet plugin fixes a severe vulnerability that could allow an attacker to take over WordPress sites.

Ongoing exploitation of a severe vulnerability in MailPoet, a popular newsletter plugin for blogging platform WordPress that has close to two million users, has resulted in thousands of websites being compromised or worse, according to researchers with security company Sucuri.

The vulnerability could allow an attacker, without authentication, to remotely upload anything to the website, subsequently enabling malware injections, defacement, spam and other attacks, according to a Wednesday post by Daniel Cid, CTO of Sucuri.

The flaw was discovered by Sucuri and written about on July 1, hours after version 2.6.7 was released to address the problem. However, many users seem not to have acted – a couple of weeks later Sucuri identified thousands of WordPress sites compromised by malware and quickly tied it to the MailPoet vulnerability.

“What makes it so unique is that the malicious payload is being blindly injected which is causing websites to break,” Peter Gramantik, a malware researcher with Sucuri, wrote in a Tuesday post. “The infector PHP code is buggy and it is corrupting legitimate website files. It is targeting not only the core WordPress files, but also theme and plugins files. The result [is] various PHP errors being displayed instead of the normal site content.”

Sucuri deemed the vulnerability to be severe and, in its posts, would not get into the technical details of exploitation, but Cid explained that these recent attacks all begin with the attackers uploading a custom-made malicious theme to the targeted WordPress site.

A successful upload results in the attacker being able to access a backdoor and get full control of the website, as well as creating an admin user named 1001001, Cid wrote, adding that backdoor code is also injected into all theme and core files.

The issue should serve as a reminder to plugin developers, Cid wrote.

“The vulnerability resides in the fact that the developers assumed that WordPress's “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/,” Cid wrote. “If you are a developer, never use admin_init(), or is_admin(), as an authentication method.”

Sucuri did not respond to a SCMagazine.com request for comment.