The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately.
A serious vulnerability in the WordPress plugin, MailPoet, could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication.
MailPoet, formerly known as Wysija Newsletter, is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system.
In a blog post, the security researcher and CEO of the security firm Sucuri, Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulnerable MailPoet plugin.
Some of those compromised websites don't even run WordPress or don't have MailPoet plugin enabled in it, as the malware can infect any website that resides on the server of a hacked WordPress website, according the researcher.
"The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files," Cid said in a blog post. "All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account -- cross-contamination still matters."
"To be clear, the MailPoet vulnerability is the entry point, it doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website."
The security firm first reported about the vulnerability on the beginning of this month. The backdoor installed is a very nasty and creates an admin account that gives attackers full administrative control. It also injects backdoor code into all themes and core files.
The worst part with this infection is that the malicious code also overwrites valid files, which are very difficult to recover without a good backup in place. It causes many websites to fall over and display the message:
Parse error: syntax error, unexpected ')' in /home/user/public_html/site/wp-config.php on line 91.
The Security firm is clarifying that every build of MailPoet is vulnerable except the only version which is the most recent released 2.6.7. So, users are recommended to update it as soon as possible.
Sucuri security firm is very dedicated in finding vulnerabilities in the WordPress CMS and encouraging users to install the updates. A week ago, it urged the users to upgrade WordPress version due to a vulnerability found in the WPtouch WordPress plugin that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.
Sucuri also found two serious vulnerabilities in the popular WordPress SEO plugin called "All in One SEO Pack" and a critical Remote Code Execution (RCE) flaw in "Disqus Comment System" Plugin of Wordpress few weeks before.