"This bug should be taken seriously," warns Sucuri CTO Daniel Cid, as "it gives a potential intruder the power to do anything he wants on his victim’s website."
The bug can be exploited to use vulnerable websites for phishing lures, sending spam, host malware, infecting other customers (on a shared server), and more.
"Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details," said Cid, adding only that the problem lies "in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/."
The bug was discovered a few weeks ago, and the MailPoet team has patched it in the latest version of the plugin (v2.6.7, released on Tuesday).
Users of the popular newsletter plugin are advised to update it immediately, but all WP users should keep in mind that regularly updating all the plugins they use is a good idea.
MailPoet has been downloaded by 1.7 million users.