Attention WordPress users who have installed One of the popular plugin named The MailPoet plugin (wysija-newsletters), because a vulnerability has been found in the plugin which could allow an attacker to remotely upload a file to the server.

This vulnerability came into knwledge by a website security firm ‘Sucuri,’ One of their team member ‘Marc-Alexandre Montpas’ found a serious security vulnerability in the MailPoet WordPress plugin.

This is really dangerous vulnerability, as it allows an attacker to upload any file without user authentication and later the file may be used to server spam to other users in the name of you.

How to Detect this Vulnerability?

The only safe version is the 2.6.7, this was just released a few hours ago (2014-Jul-01). All of the versions below 2.6.7 are vulnerable.

Where is the Vulnerability located?

Sucuri explained to its blog about where actually the vulnerability is, The basics of the vulnerability however is something all plugin developers should be mindful of: the vulnerability resides in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/.

The Security Firm also teaches developers to not to use admin_init() (or is_admin()) as an authentication method.

Still you are confused about you are affected or not? so, immediately disable the MailPoet WordPress plugin and then try to understand the problem, and it can be easily sorted out through update the Plugin to its latest version, Go to Plugins>Updates Available>Choose MailPoet or Click on Update.

In the meantime The Plugin has been downloaded over 1,700,000 times.



This site uses Akismet to reduce spam. Learn how your comment data is processed.