WordPress Plugin “MailPoet” Exploited Across 50,000 Sites

A vulnerability affecting nearly 50,000 websites has been exposed as part of the latest assault on WordPress, security firm Sucuri reported today.


Photo: Ingvar Bjork / Shutterstock

MailPoet, a popular plugin designed to assist webmasters with push notifications and autoresponders, was revealed as the culprit, which allowed hackers to not only sneak into WordPress builds that had the code installed on their sites, but even some who had never enabled the program thanks to some cross-scripting magic that exists in between the basic platforms, which most of the publishing relies on to operate.

Daniel Cid, CTO of Sucuri elaborated on just how serious the exploit is, and what it means for users who frequent WordPress-based websites daily to get all the latest updates on news and reviews in the online marketplace.

“To be clear, the MailPoet vulnerability is the entry point,” he wrote in a blog post. “It doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website.

The hole grants full administrative access to anyone with knowledge of its existence, giving them complete control over all layers of a publication as well as detailed reports of any users who happen to visit a particular feed while the site is under attack.

By injecting compromised content into themes and core files, hackers are able to both remove admin capabilities from validated users, as well as implanting their own customized materials into the site which makes the recovery process that much more daunting for those who are less savvy to the sophisticated methods that sustain these types of infections.

If WordPress’ own estimates are to be believed, around two million sites in total have installed MailPoet on their machines to help with managing their content and newsletter update services. Even if only a small fraction of that total is infected by the bug, there is still a huge risk for anyone who utilizes WordPress as their primary publication portal.

“On most shared hosting companies—GoDaddy, Bluehost, etc.—one account can not access files from another account, so the cross-contamination would be restricted to sites within the same account,” Cid said. However, in other cases, “if the server is not properly configured, which is not uncommon, then [the infection] can spread to all sites and accounts on the same server.”

The issue itself was first discovered this week by Sucuri researcher Peter Gramantik, who wrote an extensive report detailing the breadth of the problem and the problems that WordPress users could face over the next several weeks while a patch was cooked up by the company themselves.

Since then, WordPress engineers have released an easy-to-use tool that will enable anyone with a blog on their servers to apply the fix with one click. WordPress has since come out to apologize about the mishap, and claims that although they may have missed the hole the first time around, precautions have been put in place which will prevent this sort of problem from popping up in the future.