Critical vulnerability in Newsletter WordPress Plugin allows hackers to create backdoors and take full control of a target website
Newsletter is a popular emailing WordPress plugin used by nearly 300,000 websites all over the world. Security researchers have discovered that Newsletter has two critical vulnerabilities that could lead to code execution and even site takeover.
The Newsletter plugin lets websites with WordPress owners create and send emails using a visual editor. The simple U.I and ease of use make it one the most popular email creating plugins. According to Wordfence, the NewsLetter plugin has a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability.
Wordfence notified Newsletter devs about both the vulnerabilities and both have been patched in the latest Newsletter, v.6.8.2.
The second bug is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files, or “any number of other tactics that could lead to site takeover,” the firm warned.
Though Newsletter devs have released the updated version v.6.8.2. the updated version of the plugin has been downloaded only by 150,000 websites hence there are still at least 150,000 vulnerable websites.