Owners of WordPress sites who use the Newsletter plugin are advised to update their installations to block attacks that could use a fixed vulnerability allowing hackers to inject backdoors, create rogue admins, and potentially take over their websites.
The vulnerability was found in the Newsletter WordPress plugin that provides the tools needed to create responsive newsletter and email mail marketing campaigns on WordPress blogs using a visual composer.
Newsletter has already been downloaded over 12 million times since it was added to the official WordPress plugin repository and is now installed on more than 300,000 sites.
Patched within two days
In a report published today by Wordfence’s Threat Intelligence team, threat analyst Ram Gall says that he discovered two additional security flaws while analyzing a previous patched published by the plugin’s developers on July 13.
Wordfence spotted a reflected Cross-Site Scripting (XSS) flaw and a PHP Object Injection vulnerability that were both fully patched by Newsletter’s development team on July 17 with the release of version 6.8.3, two days after the initial report sent on July 15.
While the two flaws are rated as medium and high severity issues that could allow attackers to add rogue admins and inject backdoors after successfully exploiting the reflected XSS issue on sites running vulnerable versions of the Newsletter plugin.
Additionally, the PHP Object Injection flaw “could be used to inject a PHP object that might be processed by code from another plugin or theme and used to execute arbitrary code, upload files, or any number of other tactics that could lead to site takeover,” according to Gall.
At least 150,000 sites still exposed to attacks
Even though Newsletter 6.8.3, the plugin version that ships with a fix for the two vulnerabilities, was released on July 17, the plugin was downloaded only 151,449 times since then according to historic download data, including updates and new installs.
This translates into at least 150,000 WordPress sites with active Newsletter installations still potentially left exposed to potential attacks if hackers start exploiting these bugs as part of future campaigns.
Newsletter users are urged to update the plugin to the 6.8.3 version as soon as possible to block attacks designed to add rogue admins or to inject backdoors on their sites given that threat actors frequently use already fixed WordPress plugin vulnerabilities in their attacks.
For instance, two months ago, Wordfence reported a campaign targeting hundreds of thousands of WordPress sites within 24 hours, attempting to collect database credentials by stealing config files after successfully exploiting known XSS flaws affecting WordPress plugins and themes.
“Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files,” Gall said at the time.
Last week, a maximum severity vulnerability found in the wpDiscuz plugin installed on over 70,000 WordPress sites allowed hackers to take over hosting accounts via remote code execution attacks.
To read the original article: https://www.bleepingcomputer.com/news/security/newsletter-plugin-bugs-let-hackers-inject-backdoors-on-300k-sites/