Customers on GoDaddy have recently been hacked on WordPress who are using the MailPoet Plugin for newsletters.
The plugin which offers standard newsletters left a huge backdoor open to hackers during their update in July, and we can confirm Perth Gazette was also hacked while the plugin was active.
The flaw was discovered by Sucuri and written about on July 1, hours after version 2.6.7 was released to address the problem. However, many users seem not to have acted – a couple of weeks later Sucuri identified thousands of WordPress sites compromised by malware and quickly tied it to the MailPoet vulnerability – according to SC.
PG was affected twice, however, since re-installing, changing DB and all other required security the issue has been fixed.
As there are over 1.7 million downloads of MailPoet and counting, a potentially huge number of WordPress users are at risk if they don’t upgrade to the latest version, 2.6.7, Sucuri warned.
“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website,” said Cid. “All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account.”
The attacks in question always begin with cybercriminals trying to upload a malicious custom theme to the targeted site, before accessing a backdoor to gain full control.
“The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files,” Cid explained. “The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place.”