Over 50,000 websites have been compromised within the first three weeks following the disclosure of a critical vulnerability in the MailPoet plugin (formerly known as Wysija Newsletter) for WordPress.
The vulnerability allows the attacker to upload any content including PHP script files to the server without authentication. Successful exploitation of the vulnerability allows the attacker to execute code on the WordPress system and take complete control of the website.
The popularity of the plugin (over 1.7 million downloads) has attracted the attention of Malware authors who have already seized the opportunity to create a worm designed to propagate via vulnerable WordPress systems [1].
The initial patch for the vulnerability failed to correctly fix the problem, therefore we recommend that users of the software apply the 2.6.9 update, even if patches were applied following the initial disclosure.
The AppCheck system has a dedicated WordPress module designed to identify vulnerable plugins and configuration weaknesses.
Sign up now for a free trial to scan your web sites and applications.
[1] Malware Infection: link
[2] Original Advisory: link
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)