A New Security Exploit
A huge exploit is in the wild for WordPress sites that effects not only WordPress, but also Magento and Joomla sites that may be living on the same server, as well. Specifically, there is a security vulnerability in out-dated versions of the MailPoet plugin that serves as point of entry for ne’er-do-wells. Said nasty persons are then able to backdoor into the server via the WordPress site that is running the vulnerable plugin. If the site is running on a shared box, then any other site on the server is potentially fair game, as well.
What Is MailPoet?
Basically, it’s a newsletter and notification plugin. According to download stats, it’s pretty popular. I’m going to be honest, I’ve never used this plugin and can’t speak to it. Plugins can have security flaws, and they’re often patched quickly upon discovery, if the plugin is well-maintained. The long and short of it, according to MailPoet, is that the hole in the plugin permitted the uploading of arbitrary PHP files into WordPress. That’s nasty. MailPoet has posted again on the issue, admitting that they got a little too liberal with merging GET, POST, and COOKIE superglobals into arrays. In any case, they insist that the latest release, 2.6.8, is patched and secure. If you’re running this plugin, I would definitely upgrade immediately, if you haven’t already.
How Bad Is It?
As WordPress security issues go, this is pretty much as bad as it gets. What strikes me here is how easily the attackers can leverage this to backdoor into adjacent sites on the same server. Cracking Magento sites is no easy task, and if the attackers are getting in this easily, then this has me worried. This is basically a security nightmare. According to the Ars Technica write-up, malicious code can be injected into every theme and core file in your WordPress install (I’m not certain yet how deep the penetration goes in Magento). The worst kind of security exploit is the kind that not only impacts the platform that is point of entry, but can manage to propagate into other platforms as well. That’s exactly what’s happened here.
What To Do?
If you’re noticing something odd on your WordPress sites, be worried. Specifically, if you suddenly see a syntax error thrown from line 91 of your wp-config file, you’ve likely been infected. If your production environment is in version control, a quick Git or Subversion status check should show you if there are modified files present that you haven’t modified. If you’re not seeing signs of any untoward nastiness yet, and you’re running MailPoet, upgrade now (MailPoet says that, if you want to stay on an older version, they have a standalone plugin to secure it. My advice, and really theirs as well, is to do the full upgrade and figure out how to work around whatever customization it is that you wanted to keep. Security is more important). If you’re not running MailPoet, and you’re not using automatic updates in your WordPress install, then update to 3.9.1 (with all of the usual precautions that go with that, of course). If you’re on a shared box, contact your hosting provider and talk to them about risk assessment.
A lot of my colleagues who are WordPress naysayers cite what they see as it’s huge security flaws. In my experience, WordPress security issues generally come from end users not taking care of their sites, or sloppy theme and plugin development. I’m not going to speak badly about MailPoet, because I haven’t looked at their code. I will say that there are a lot of users out there who are adverse to change, or just simply don’t keep up. You can’t afford to be that person right now, and this exploit is exactly why. This isn’t like not taking care of your kid because you got busy…it’s not taking of your kid, letting your kid get sick, then sending your kid to school and letting your sick kid get every other kid at school sick, as well. There’s not an excuse not to update. This germ spreads out to everyone else, so you have a responsibility to everyone else on your shared server to make certain you’ve taken all the precautions that you can.