Newsletter plugin flaw affects 300,000 WordPress websites

A new security risk for website administrators in WordPress has been reported. Pentesting course experts mention that users of the Newsletter plugin could be exposed to exploiting a vulnerability that would allow threat actors to create backdoors, generate apocryphal administrator accounts and even take full control of a target website.

The affected plugin gives users of the content management system (CMS) the tools to create newsletters and launch marketing campaigns via email using a visual composer. Newsletter has more than 12 million downloads, although the current number of sites where it is active is approaching 300 thousand.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es newsletterplugin04082020-1.jpg

While reviewing a security patch to fix a flaw in Newsletter, security firm Wordfence researchers detected two additional plugin flaws: a cross-site scripting (XSS) flaw and a PHP object injection that had been fixed since June 17 with the release of version 6.8.3, as mentioned by pentesting course experts. 

However, the plugin was only downloaded about 150 thousand times since the update’s release, so at least 150 thousand active installations are exposed. In other words, even with the release of updates the malicious hackers have thousands of potential victims. 

Newsletter developers ask users to upgrade to the latest version to mitigate potential attacks; according to pentesting course experts, exploiting flaws in WordPress plugins has become one of the most common hacking variants, so it is necessary to update as soon as possible.

A couple of months ago, Wordfence researchers detected a malicious campaign affecting hundreds of WordPress sites; In less than a day, the attack operators managed to collect accesses to multiple configuration files after exploiting some unpatched XSS flaws in various plugins.

Just a few days ago experts also detected a critical vulnerability in wpDiscuz, a plugin installed on more than 70,000 websites, whose successful exploitation would have allowed hackers to deploy remote code execution attacks.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.