Flaw in Newletter plugin could put 300,000 websites to risk of remote takeover


Critical vulnerability in Newsletter WordPress Plugin allows hackers to create backdoors and take full control of a target website

Newsletter is a popular emailing WordPress plugin used by nearly 300,000 websites all over the world. Security researchers have discovered that Newsletter has two critical vulnerabilities that could lead to code execution and even site takeover.

The Newsletter plugin lets websites with WordPress owners create and send emails using a visual editor. The simple U.I and ease of use make it one the most popular email creating plugins. According to Wordfence, the NewsLetter plugin has a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability.

Wordfence notified Newsletter devs about both the vulnerabilities and both have been patched in the latest Newsletter, v.6.8.2.

The first bug is an authenticated reflected XSS flaw, which is a medium-severity issue ranking 6.5 on the CvSS scale. Successful exploitation could allow logged-in attackers to inject malicious code into a web window. According to Wordfence, the specific issue arises because vulnerable versions of Newsletter use an AJAX function, tnpc_render_callback, to display edited blocks based on a set of options sent in the AJAX request. However, these options aren’t filtered but are instead passed directly on to a second function, restore_options_from_request, which displays the blocks using the render_block function. As such, it was possible for an attacker to get malicious JavaScript to display in multiple ways,” researchers explained in the post.

The second bug is a high-severity PHP object-injection bug, carrying a severity ranking of 7.5 on the CvSS scale. The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files, or “any number of other tactics that could lead to site takeover,” the firm warned.

Though Newsletter devs have released the updated version v.6.8.2. the updated version of the plugin has been downloaded only by 150,000 websites hence there are still at least 150,000 vulnerable websites.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments