Critical vulnerability found in WordPress plugin MailPoet; update plugin immediately

Researchers at security firm Sucuri recently discovered a critical vulnerability in the WordPress plugin MailPoet. The plugin creator has already released a security patch to address the flaw. Anyone using MailPoet should immediately upgrade to secure version 2.6.7.
MailPoet (formerly called “wysija-newsletters) is a WordPress plugin designed to create custom newsletters and polished-looking emails within the CMS. With more than 1.7 million downloads, it has definitely found its share of users. Unfortunately, the larger a user-base, the more tempting a target it makes to would-be hackers.
According to an article by Ars Technica, the vulnerability identified in MailPoet is quite severe.
“If you have this plugin activated on your website, the odds are not in your favor,” Daniel Cid, CTO of Sucuri, the security firm that found the vulnerability, said. “An attacker can exploit this vulnerability without having any privileges / accounts on the target site. This is a major threat, it means every single website using it is vulnerable.”
The MailPoet vulnerability “allows attackers to remotely upload any file of their choice” to a WordPress site with this plugin installed, Ars Technica reported. This bug does not require an attacker to have admin privileges, or any privileges on a site, for that matter.
“This bug should be taken seriously,” Cid wrote on the Sucuri blog. “It gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host[ing] malware, infect[ing] other customers on a shared server, and so on.”
Sucuri is quickly becoming a dominant name for finding vulnerabilities such as the MailPoet one. The company was a lead researcher in making headlines with its work on the recent Open SSL vulnerability with the fear-inducing name of “Heartbleed.”
Thankfully, the fix for the MailPoet bug has already been implemented in the plugin’s most recent security patch. If you use MailPoet for your WordPress site, update to the secure version 2.6.7 immediately.
As always, if you have any questions about updating a plugin for your own site, don’t hesitate to call a member of our support team. And if you’d prefer to let us completely handle a plugin’s security update, we’ll be happy to help.
Editor's Note: A more recent secure version of MailPoet, version 2.6.9, has just been released.