Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

WordPress Plugin Vulnerability Exploited to Compromise Thousands of Websites

A large number of websites have been compromised over the past days by cybercriminals who are exploiting a recently patched security hole in a popular newsletter plugin for WordPress.

A large number of websites have been compromised over the past days by cybercriminals who are exploiting a recently patched security hole in a popular newsletter plugin for WordPress.

Researchers from Sucuri started spotting malware injections on WordPress websites last week, but they initially couldn’t determine the attack vector. In a blog post published on Wednesday, Sucuri CTO and founder Daniel Cid revealed that a flaw in the MailPoet WordPress plugin is responsible for the massive malware infection.

Sucuri published an advisory on the MailPoet vulnerability at the beginning of July, when the company warned users to update their installations immediately to prevent cybercriminals from taking over their websites. The flaw can be exploited to upload any PHP file to affected sites. In this case, the attackers are uploading a malicious theme that contains a backdoor.

“The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place,” Cid said.

The security firm estimates that around 50,000 websites have been compromised, but the number could increase considerably because the MailPoet plugin has been downloaded nearly 2 million times from the official WordPress website. Furthermore, other types of websites hosted on the same server as the compromised WordPress site could also be affected.

“Only WordPress sites can be compromised by the vulnerability. But once the attackers’ code succeeds compromising the WordPress site, it attempts to also inject malware into all neighboring sites within the same server/account. So you may see other CMS’s compromised because of that,” Cid told SecurityWeek.

MailPoet developers addressed the vulnerability with the release of version 2.6.8, so users are advised to upgrade the plugin to this or a newer version. 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.