Bug in WordPress plugin allows unauthorized file upload
Posted on 02 July 2014.
WordPress users who also use the MailPoet plugin are urged to update it as soon as possible, as all versions but the latest one are plagued with a critical flaw that could allow attackers to remotely upload any file on their vulnerable website.

"This bug should be taken seriously," warns Sucuri CTO Daniel Cid, as "it gives a potential intruder the power to do anything he wants on his victim’s website."

The bug can be exploited to use vulnerable websites for phishing lures, sending spam, host malware, infecting other customers (on a shared server), and more.

"Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details," said Cid, adding only that the problem lies "in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/."

The bug was discovered a few weeks ago, and the MailPoet team has patched it in the latest version of the plugin (v2.6.7, released on Tuesday).

Users of the popular newsletter plugin are advised to update it immediately, but all WP users should keep in mind that regularly updating all the plugins they use is a good idea.

MailPoet has been downloaded by 1.7 million users.









Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //