New WordPress Plugin Problem Compromises 50,000 Sites

by John
Comments are off for this post.

"wordpress-news-hacker-plugin"WordPress users are being warned to check their sites have not been compromised after it has been revealed that a popular newsletter plugin has led to up to 50,000 sites being targeted by hackers.

According to reports the problem with the vulnerability has come through a flaw found in MailPoet Newsletters, formerly known as wysija newsletters and follows from a previous problem which was found in the plugin only a few weeks ago.

The problem had been fixed to prevent any further issues occurring and a patch for the plugin was released on July 1, however anyone who does not take action and patch their plugin could potentially be left open to hackers being able to upload PHP files and take control of a site.

It has also been found that hackers have taken advantage of the patch to launch further attacks.

So far the MailPoet Newsletter has been downloaded for use on WordPress sites by more than 2 million users.

Security firm Securi found the problem initially and then it was soon found that the attack on MailPoet also then exploited the patch which was launched at the start of July.

According to a post from Securi: “The backdoor is very nasty and creates an admin user called 1001001.  It also injects a backdoor code to all theme/core files.  The biggest issue with this injection is that it often overwrites good files making them very hard to recover.”

It is not known how many sites have been affected by the problem and Securi scans sites on a voluntary basis and has found that there are a few thousand sites with the problem which has led the company to estimate that there must be around 50,000 sites that have potentially been affected by the problem.

What has been particularly worrying about the problem is that sites that do not have the plugin or are not even run using WordPress are potentially at risk from the attack thanks to what is being termed as cross contamination.

Daniel Cid from Securi said: “On most shared hosting companies – GoDaddy, Bluehost etc – one account can not access files from another account, so the cross contamination would be restricted to sites within the same account.  However if the server is not properly configured, which is not uncommon, then (the infection) can spread to all sites and accounts on the same server.”

If you have a WordPress site and are concerned about security then be sure to upgrade your version of MailPoet plugin and keep up to date with security by updating software as suggested by WordPress.

Share this article

Comments are closed.