WordPress plugin with 1.7 million downloads puts sites at risk of takeover

  • 1 July 2014
  • 1 reply
  • 792 views

Userlevel 7
Badge +54

Sites running MailPoet should install update ASAP.

by Dan Goodin - July 1 2014
 


 
Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned.
"If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable."
 
 
Full Article
 
 

1 reply

Userlevel 7
The following article is a update
(Millions of WordPress websites in danger due to easily exploitable bug)
Author: Zeljka Zorz HNS Managing Editor/ Posted on 21 November 2014.
 
A new WordPress version has been released, and you better update to it, as it patches a critical cross-site scripting flaw that can be exploited by attackers to compromise your site.

The vulnerability has ben discovered by Jouko Pynnonen, CEO of Finnish IT company Klikki Oy, and affects version 3.0 of the popular CMS, which is used by at least 86 percent of WordPress sites around the world, meaning that millions of websites are in danger. Version 4.0 is not affected.

"An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login)," the company researchers explained.

"Program code injected in comments would be inadvertedly executed in the blog administrator's web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administror account.
 
 
full article

Reply