A vital susceptibility found in a WordPress plug-in that has been downloaded 1.7 million times enables potential attackers to take absolute control of blogs that utilize it.
The fault is placed in the MailPoet Newsletters plug-in, formerly known as wysija-newsletters, and was noticed by researchers from Web security firm Sucuri.
“This bug should be taken seriously; it gives a potential intruder the power to do anything he wants on his victim’s website,” Daniel Cid, Sucuri’s chief technology officer, said in a blog post Tuesday. “It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, hosting malware, infecting other customers (on a shared server), and so on!”
The vulnerability was patched in MailPoet version 2.6.7, announced on July 2nd, 2014, so all WordPress blog administrators must improve the plug-in to the latest version as soon as possible if they make use of it.
The fault was the outcome of the MailPoet developers mistakenly presuming that the “admin_init” hook in WordPress is only triggered when an administrator visits pages from the administration panel, Cid said.
The MailPoet developers employed admin_init to confirm whether the active user is permitted to upload files, but as this hook is actually also triggered by a page available to unauthenticated users, the plug-in’s file upload functionality was made obtainable to almost everyone.
It’s simple to make this error and all plug-in developers must be careful of this behavior, Cid said. “If you are a developer, never use admin_init() or is_admin() as an authentication method.”
WordPress sites are a continuous target for attackers and those who get compromised are often employed to host spam pages or nasty content as part of other attacks. Cybercriminals are running inspections on the Internet on a daily basis to identify WordPress installations influenced by susceptibilities like the one found in MailPoet.