January 17, 2018

WordPress Sites Exploited to MailPoet Vulnerability Attacks

Last week, security firm Sucuri reported on a rise in broken WordPress websites. The firm stated that the cause stems from a malicious payload that is being "blindly" injected into the sites' code, thus breaking WordPress websites.

Even more, the infecting PHP code is corrupting legitimate core WordPress files, including plugins and themes. Thus when visitors pull up the infected page, all they will see are various PHP errors. The only way to fix these sites, once the malware has been removed, is to restore the damaged files from backup.

After that report, the firm soon discovered that the attack vector is the MailPoet WordPress Plugin vulnerability, which was disclosed just a few weeks ago.

"Because of the nature of the vulnerability, specifically it's severity, we will not be disclosing additional technical details. The basics of the vulnerability however is something all plugin developers should be mindful of," Securi's Daniel Cid writes. "The vulnerability resides in the fact that the developers assumed that WordPress's "admin_init" hooks were only called when an administrator user visited a page inside /wp-admin/."

Cid said hackers have been using that "admin_init" hook to verify if a specific user is allowed to upload files to the victim WordPress site. Hackers are managing to upload themes with backdoors thanks to a line of php code that doesn't require the user to be authenticated. Through this vulnerability, attackers can inject anything they want on a WordPress website, allowing hackers to deface the website, insert malware and so on. The security firm urged everyone with a WordPress website to update immediately.

"To be clear, the MailPoet vulnerability is the entry point, it doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website," Cid writes. "All the hacked sites were either using MailPoet or had it installed on another site within the same shared account."

Cid reports that the attack is always the same at first, with the hacker trying to upload a custom, malicious theme to the target site. Once that's in place, hackers then stroll through their backdoor and take full control of the targeted website.

"The backdoor is very nasty and creates an admin user called 1001001," he writes. "It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place."

Unfortunately, MailPoet is an extremely popular plugin and has been downloaded around two million times. According to a chart, the infections peaked at just under 3,000 websites, and began to fall on July 22. Cid suggests that WordPress users upgrade the MailPoet plugin immediately (v2.6.7 or later) or remove it altogether to avoid any issues.
Share This
Previous Post
Next Post

This Post was publish by the above Author