Researchers discover new WordPress plugin vulnerability which has already affected 50,000 websites

Does your business run a WordPress content management system, or use WordPress as a free open source blogging tool with the popular, unpatched plugin, MailPoet, installed? If you do, then security experts are advising that you should upgrade your site immediately. Why the hurry you may wonder? What’s so serious to warrant immediate action? Well, according to researchers at security firm, Sucuri, a serious vulnerability has been discovered in WordPress plugin, MailPoet, which could potentially allow hackers to inject any file, malware, defacements and spam onto a server whenever and wherever they want without any authentication.

How widespread and serious is this latest security threat? Well researchers and the CEO at Sucuri, Daniel Cid, believe it’s sufficiently serious to warrant bringing it to the attention of the public straight away. The reason for that is that the WordPress plugin, formerly known as Wysija Newsletter, has more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system. Evidence of the seriousness of the threat can, according to Sucuri, be seen in the fact that in the three weeks since the vulnerability was originally uncovered over 50,000 websites have been remotely exploited by cybercriminals to install backdoor malware targeting the vulnerable plugin.

What is of even greater concern in Sucuri’s view is that some of the compromised websites did not even run WordPress, nor did they have the vulnerable MailPoet plugin enabled. Sucuri points out that the cross-contamination implications of this latest security threat are potentially catastrophic, as the malware can infect any website that resides on the server of a hacked WordPress site. Daniel Cid elucidated in a blog post:

“The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files. All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account- cross-contamination still matters.”

“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website.”

Sucuri first identified and reported about the vulnerability at the beginning of July. The security firm found that the ‘backdoor’ installed was malicious and was capable of creating an admin account which gave attackers full administrative control. It also found that the malware injected backdoor code into all themes and core files. Most worrying Sucuri also found that the malicious code could also overwrite valid files – files which are extremely difficult to recover without a good backup procedure in place. Once infected the website invariably fails and displays the message:

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91.
Sucuri maintain that every version of MailPoet is vulnerable to the malware infection, except the recently released 2.6.7 version, and is therefore advising that users update their system as soon as possible.

If you are concerned about the escalating security challenges facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions from Barracuda Networks, Check Point, Alien Vault and Netwrix, please contact Krypsys on 0845 474 3031 or [email protected].