WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.

Cookies flaw lets hackers steal WordPress accounts
Cookies flaw lets hackers steal WordPress accounts

According to Securi's CTO Daniel Cid, hackers have been exploiting a flaw in the plugin since early July, but the key take-out is that a site does not even have to have the plugin - or WordPress - installed to be vulnerable. This is due to the shared server nature of many WordPress blogging services.

First released just over 11 years ago, WordPress is a free and open source blogging plus content management system based on PHP and MySQL. Originally developed as a variant of b2/cafelog, the platform has been adopted by many millions of websites around the world, resulting in its code - and plugins - being targeted by cyber-criminals.

MailPoet - originally called Wisija - is a drag-and-drop utility for WordPress that makes the task of creating an online newsletter very easy. Available in free and paid-for versions, the plug-in has more than 50 themes and is popular amongst blogging sites on both sides of the pro-amateur and business divide.

According to Cid, the MailPoet flaw has been exploited on between 30,000 and 50,000 WordPress and related sites in the last three weeks.

The shared nature of many blogging sites - some of which support the Joomla and Magento blogging platforms - means that if a WordPress site on a shared service has MailPoet on its servers, then there is a strong chance that even non-WordPress microsites may fall victim to the MailPoet flaw in what is best described as a `domino effect' on the server concerned.

In his analysis of the issue, Cid says that the MailPoet vulnerability is merely an entry point to the server.

"It doesn't mean your website has to have it enabled or that you have it on the site; if it resides on the server, in a neighbouring site, it can still affect your website," he said, adding that the attach methodology involves cyber-criminals uploading a malicious theme to the site, which then creates an admin user called 1001001, as well as injecting backdoor code to all theme/core files.

The good news is that the latest version of MailPoet (v2.6.7) appears to have fixed the vulnerability, suggesting that WordPress users should download the new version of the plugin.

Steve Smith, managing director with Pentura, the security consultancy, said that WordPress has become a popular platform for business websites - as either a framework or hosting service.

"Plugins can be a back door for hackers to introduce malware onto a network, via a business's website, and this could put data at risk of attack. It is important that organisations ensure they are fully informed of the vulnerabilities that some plug-ins present and take the necessary steps to protect against them," he explained.

Nigel Stanley, practice director for cyber security, risk and compliance with OpenSky, said the shared service aspect of the exploit - which opens up Joomla and Magento users to their sites being compromised - is extremely concerning, because large numbers of small businesses depend on the Joomla platform to run their sites and businesses.

"The issue here is that these small business often lack the resources to deal with any problems with Joomla, so when something like this affects them, they have no capacity to fix it," he explained.