A new report by Wordfence Threat Intelligence team revealed two vulnerabilities in Newsletter plug-in of WordPress. These can be exploited by hackers to create backdoors and make rouge admin accounts for later use. Though the patch is available, at least 150k sites are still vulnerable since not updated.
WordPress Newsletter Plug-in With Two Vulnerabilities
Newsletter plug-in in WordPress is a toolbox for creating newsletter templates and also to manage email marketing campaigns. It’s simple to use the plug-in, as users can craft their templates through a visual editor. The plugin is popular enough to be downloaded by 12 million people till date, with being installed in at least 300,000 WordPress sites.
Today, a report from Ram Gall, threat analyst from Wordfence Threat Intelligence has revealed two vulnerabilities in this Newsletter plug-in. While one’s the Cross-site scripting (XSS), the other is a PHP Object injection. These are rated as medium and high on severity scores respectively. These were first reported by Ram Gall to Newsletter team on July 15th, and the patch was released just two days after that.
The vulnerabilities, XSS cross-scripting can let hackers add rouge admins the site, and the PHP Object Injection flaw can inject a PHP object, which could be processed by code from another plugin or theme to execute arbitrary code, upload files etc. Summing up, these flaws can be used to take over the vulnerable sites easily. Thus, site admins using the Newsletter plug-in are advised to update immediately.
The version 6.8.3 was released on July 17th but has been installed or updated by 151,449 users as of now. This leaves the rest of sites exposed to these hacks, thus recommended to update immediately to avoid being hacked.
