Update older versions of MailPoet/WYSIJA right away!

  • I just came across this article on ArsTechnica about a major security issue with MailPoet.

    The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it’s the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, “any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated.” The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses.

    This is a major security implication for any site running MailPoet/WYSIJA, so be sure to update right away. I’m a bit upset about this because I paid for the premium version of MailPoet and never received any kind of notice from them about this vulnerability.

    https://www.ads-software.com/plugins/wysija-newsletters/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    ?????? Advisor and Activist

    They released an update yesterday about this.

    Since there isn’t a really good way for them to push alerts to people using the free plugin (seriously, we know it sucks), there was no way to do it but to push the update and try to get the led out.

    If you’re using the premium plugin, then you need to take that up with them on their own site where they DO have your contact info and a little more way to inform you of stuff. Otherwise, they really did do the best they can for what insanely limited tools we have here on the free repo.

    Thread Starter Dalton Rooney

    (@daltonrooney)

    I realize that there’s no good way to push updates to people using the free plugin (beyond the built-in plugin updater), but I do think they should do a little more to publicize an issue this severe. Update the readme.txt to put a notice at the top of the plugin page on www.ads-software.com, for example.

    Hello Dalton,

    Sorry about that, we realized that we haven’t acted the ideal way when we released the first security patch in 2.6.7.

    It turned out that 2.6.7 wasn’t completely safe, it was better but still not safe. Now it is good in 2.6.8, you can read more about it here:
    https://www.mailpoet.com/security-update-part-2/

    This is an extremely important 0-day security issue that we haven’t handled correctly. We now know what it feels to have one of these issues in our plugin and mostly what it feels to put our users at risk.

    We’re reviewing our code so that nothing like that ever happen again. If it does happen again, we’ll be better prepared to deal with that situation for sure, and we’ll do better, we owe you that.

    Once again my apologies along with the rest of the team.
    Ben

    Do you have any recommendation for someone who has been hacked because of mail poet? I have three sites that have been hacked already. One site I have almost back up but it has taken me hours!

    Two more sites hacked:
    idorderthat.com
    brownsdurangoshoes.com

    Thanks!

    Georgia

    Hello!

    I was able to restore the sites via ftp. But it would be sweet if there was some sort of fix to remove the malicious code for those unsuspecting users who don’t even know their site is hacked yet.

    Thanks!

    Georgia

    Agreed, they could have at least mentioned it in the forums. Why are we hearing this from a fellow user? Thanks for that Dalton by the way, but it really should have been done by the author.
    Also, I think WordPress should have a feature that allows an author to update the plugin and mark it as a fix for vulnerabilities. It then notifies the wordpress installation which triggers an email to the webmaster for that site, or notifies all admins. Even the mod admits it sucks, so why has nothing been done about it?

    “we haven’t acted the ideal way when we released the first security patch in 2.6.7.” “This is an extremely important 0-day security issue that we haven’t handled correctly.”
    Seriously? You’re saying you didnt handle it correctly, put 1.7 million websites at risk but you will do it better next time.
    Why didn’t you do it right this time?

    Sorry, but for me, its a case of deactivate, delete.
    You have a lovely plugin, but with security issues like this, they need to be addressed properly and they need to be addressed immediately, you can not wait around, sit on your hands and let a fellow user notify the community. And yes, for the record, we have made many plugins, some of which had vulnerabilities found in them. We pulled out all stops, notified all customers the best we could and got it fixed. So I know it is not easy and is a complete nightmare.

    georgia.d.davenport, all you can do is replace all the files with fresh files and try to check the database. You really need to ensure that you regularly backup in future. We backup the database via email as all files can be obtained again, but the database can not, except from a backup. Maybe try asking the guys at sucuri.net for help.

    Hi guys,

    We published a guide in our site which can help you recovering your sites:
    https://support.mailpoet.com/knowledgebase/site-hacked-what-to-do/

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Update older versions of MailPoet/WYSIJA right away!’ is closed to new replies.