WordPress is a platform known worldwide for the WordPress blogs that can be created and managed through it. Used by millions of people, the platform is continuously developed and improved, offering new functionalities and features.
However, it was recently discovered that one of these updates contains an error that can prove fatal for the blog using it.
The plug-in presenting this dangerous vulnerability has already been downloaded by over 1.7 million users. The error allows any attacker to take full control of the respective blog.
The identified problem is very serious because it allows uploading a PHP file to the blog, through which the attacker can do anything they want with the site, including phishing, sending spam, hosting malware, infecting other clients (on a shared server).
The vulnerability was fixed in MailPoet version 2.6.7, released Tuesday, July 1, so all WordPress blog administrators should upgrade the plug-in to the latest version as soon as possible if they have downloaded and used the problematic plug-in.
The problem occurred due to the developers' misinterpretation of the possibility to upload files to the site, assuming that only admins can upload files if they authenticate using admin_init. In reality, the upload page could be activated by any user, thus accessible to anyone.
Daniel Cid, Sucuri's chief technology officer, who discovered the problem, warns all web developers never to use admin_init() or is_admin() as an authentication method, as these methods are very insecure.
WordPress sites are a prime target for hackers, who daily scan the internet looking for vulnerabilities of this kind.
Our advice, to keep your blog or site safe, is to perform all updates immediately as they appear, because any issues are promptly fixed.
