Bug in WordPress plugin allows unauthorized file upload
Posted on 02 July 2014.
WordPress users who also use the MailPoet plugin are urged to update it as soon as possible, as all versions but the latest one are plagued with a critical flaw that could allow attackers to remotely upload any file on their vulnerable website.

"This bug should be taken seriously," warns Sucuri CTO Daniel Cid, as "it gives a potential intruder the power to do anything he wants on his victim’s website."

The bug can be exploited to use vulnerable websites for phishing lures, sending spam, host malware, infecting other customers (on a shared server), and more.

"Because of the nature of the vulnerability, specifically it’s severity, we will not be disclosing additional technical details," said Cid, adding only that the problem lies "in the fact that the developers assumed that WordPress’s “admin_init” hooks were only called when an administrator user visited a page inside /wp-admin/."

The bug was discovered a few weeks ago, and the MailPoet team has patched it in the latest version of the plugin (v2.6.7, released on Tuesday).

Users of the popular newsletter plugin are advised to update it immediately, but all WP users should keep in mind that regularly updating all the plugins they use is a good idea.

MailPoet has been downloaded by 1.7 million users.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //