A security firm has determined that an attack against thousands of websites was conducted by threat actors through the vulnerable version of MailPoet plug-in for WordPress, which has received a patch at the beginning of the month.


On July 22, Sucuri, a company providing services for protecting website integrity, announced “a massive influx of broken WordPress websites,” but could not determine the cause.

The mystery was revealed the next day, in a blog post by Daniel Cid, CTO at Sucuri. He said that the attackers leveraged a flawed MailPoet version, which allowed them to inject any sort of code on the affected websites in order to carry out malicious activities such as spam campaign or malware delivery to the unsuspecting visitor.

The security glitch (zero-day) was also reported by Sucuri, who warned of its severity, especially in the context of the plug-in having been downloaded more that 1.7 million times.

No technical details were offered at that time, but it was said that the bug had to be taken seriously because it provided a potential intruder the possibility to take complete control of the targeted website.

Moreover, if the affected site shared the server with others, the malicious attack could be extended to them too, through cross-contamination. This is exactly what happened this week.

“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website,” said Cid in the blog post.

He also mentions that the attacks start with an upload of a malicious theme; then, the attackers access the backdoor in “/wp-content/uploads/wysija/themes/mailp/,” which creates an administrator with the name 1001001.
All core files are injected with a backdoor code, which often causes good files to be overwritten; in lack of a backup, recovering them becomes a tough task.

Cid says that indication of a website being hacked through the MailPoet vulnerability is the presence of the following error:

Parse error: syntax error, unexpected ')' in /home/user/public_html/site/wp-config.php on line 91
Based on the websites verified with Sucuri’s sitecheck scanner, over 1,000 sites have been identified on a daily basis as being hacked, starting July 19. However, Cid says that the number is much higher.

In order to protect from this sort of attack, administrators are required to either remove the vulnerable component or upgrade it to the latest, safer release.
Kepler Reviewed by Kepler on . Thousands of Websites Hacked Through Unpatched MailPoet Vulnerability http://i1-news.softpedia-static.com/images/news-700/Thousands-of-Websites-Hacked-Through-Unpached-MailPoet-Vulnerability.jpg A security firm has determined that an attack against thousands of websites was conducted by threat actors through the vulnerable version of MailPoet plug-in for WordPress, which has received a patch at the beginning of the month. On July 22, Sucuri, a company providing services for protecting website integrity, announced “a massive influx of broken Rating: 5