WordPress users that have a popular plugin installed are being cautioned to upgrade immediately.
A vulnerability in the plugin, MailPoet, could essentially allow an attacker to take over any site running it without authentication.
MailPoet, formerly Wysija, allows developers running WordPress to send newsletters and manage subscribers within the content management system and has nearly two million downloads to date, according to WordPress.org.
A blog post by Daniel Cid, the CEO of the security firm Sucuri, pointed out the vulnerability, calling it serious, on Tuesday.
Discovered by researcher Marc-Alexandre Montpas, the bug could apparently allow an attacker to upload any file remotely to a site using the plugin, including PHP.
“This can allow an attacker to use your website for phishing lures, sending spam, host malware, infect other customers (on a shared server),” Cid wrote.
Cid wouldn’t get too in depth about the vulnerability but alluded to the problem, suggesting that the developers behind MailPoet assumed WordPress’s “admin_init” hooks were only called upon when an admin user visited a page inside /wp-admin/.
“admin_init” can be used as a callback to specific functions and in this case it was used to verify whether a user was authenticated to upload files. It sounds like /wp-admin/admin-post.php overrode this however, making a site’s theme upload functionality available to anyone, something that in turn could allow anyone to upload any document or file without authentication.
Cid admitted that the mistake was an easy one to make but used the blog as an opportunity to warn developers going forward.
“If you are a developer, never use admin_init() (or is_admin()) as an authentication method,” Cid said.
The firm is clarifying that every build of MailPoet is vulnerable except for the most recent version, 2.6.7, released Tuesday and is urging users to update it as soon as possible.
Sucuri has proved especially adept at digging up WordPress bugs, particularly in plugins, as of late. The firm discovered a remote execution zero day in the PHP image resizer TimThumb and two privilege escalations in the All in One SEO Pack plugin last month.