A critical vulnerability was found in the popular WordPress MailPoet plugin (formerly known as Wysija). Attackers are able to take over a website using the MailPoet plugin without authentication. According to Daniel Cid, CEO of Security for Sucuri, this flaw “can allow attacker to use your website for phishing lures, sending spam, host malware, infect other customers (on a shared server)”.
The MailPoet plugin offers WordPress users the ability to manage subscribers within the content management system. It also permits the sending of newsletters. With 1.7 million downloads worldwide (per WordPress.org), the vulnerability has been ranked as serious.
All versions of MailPoet are vulnerable, except for version 2.6.7 released on July 1, 2014. All users are urged to update to the latest version as quickly as possible. Download here: https://wordpress.org/plugins/wysija-newsletters/
At Dalen Design, we take safety and security seriously. Should you need assistance with installing patches or plugin upgrades, please contact us.