Continuing on from our Security – WordPress 101 article we posted a few days ago, we just became aware of a significant vulnerability which may affect some users. It has recently been revealed that a popular WordPress plugin, MailPoet, which has been downloaded by more than 1.7 Million WordPress users contains a fatal flaw which provides unrestricted access to a users entire website. The particular vulnerability was made public via a Securi blog post which confirmed the worst:
This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!! – Daniel Cid, Securi CEO (2014).
If you are running MailPoet, it is absolutely critical that you update this plugin to the latest release (2.6.7) as ALL previous versions contain this vulnerability. This highlights the sheer importance of keeping on top of your WordPress updates (or any CMS for that matter).
Does this vulnerability exist in other plugins?
In a way there is the potential. This vulnerability came about through the poor assumption that WordPresses admin_init hooks for it’s admin directory are secure; that is, only to be executed by administrative users who have logged in. Unfortunately that’s not true and any call to /wp-admin/admin-post.php can utilise this admin_init hook without being an authenticated user. The unfortunate reality is that it’s quite possible other plugin makers have made this same incorrect assumption which allows their plugins to be vulnerable as well; this probably also explains why we see the ‘admin-post.php’ file targeted by automated bots so frequently.
So the bottom line here is that you should keep on your toes for any Content Management System (CMS), Plugin and Theme updates to avoid being the next victim of a hack. We’d also recommend locking off access to your /wp-admin directory, if at all possible, to just the select IP Addresses who need access.
One Final Note – TimThumb
Just in case you missed it, and you’re one of the majority who utilises a WordPress Theme or Plugin which relies upon TimThumb (and there’s alot of you) please make sure you run all of your updates as a critical vulnerability was found just last week. For more information see http://seclists.org/fulldisclosure/2014/Jun/117