Vulnerabilities In Newsletter Plugin Let Hackers Inject Backdoor & Take Over 300,000 Websites

A Researcher uncovered 2 new vulnerabilities along with recently patched vulnerability has in Newsletter plugin that has been installed more than 300,000 users with 12 million downloads.

Ram Gall, a malware researcher from WordFence says that he had found two vulnerabilities under medium and high severity that are reflected as Cross-Site Scripting (XSS) and a PHP Object Injection vulnerability.

Ram warned that it is essential to prevent these attacks as it enables the threat actors to implants different backdoors, upload files, and take over the admins as it helps to take full control over the website.

SIEM as a Service

Wordfence detected a reflected Cross-Site Scripting (XSS) flaw and a PHP Object Injection vulnerability and both have been patched by Newsletter’s developer and release a new version 6.8.3

Vulnerabilities detected

There is a firewall rule, that is already protecting against the XSS (Cross-site Scripting Vulnerability). This firewall rule was generally obtained by the premium members of the Wordfrence customers on July 15, 2020, and after 30 days, this firewall will be available to all customers without any cost.

Free Version user needs to wait until August 14, 2020 , Wordfence Team has scheduled the release of Firewall rule for both of the patched vulnerabilities.

According to WordFence report, Although the PHP Object Injection vulnerability would require additional vulnerable software to be installed, and our built-in PHP Object Injection protection would have protected against the most common exploits, we determined that a bypass was possible.

Flaw details:-

  • Flaw: Authenticated Reflected Cross-Site Scripting(XSS)
  • Affected Plugin: Newsletter
  • Plugin Slug: newsletter
  • Affected Versions: < 6.8.2
  • CVE ID: Pending
  • CVSS Score: 6.5(Medium)
  • Fully Patched Version: 6.8.2
  • Flaw: PHP object injection vulnerability
  • Affected Plugin: Newsletter
  • Plugin Slug: newsletter
  • Affected Versions: < 6.8.2
  • CVE ID: Pending
  • CVSS Score: 7.5(High)
  • Fully Patched Version: 6.8.2

Still, 150,000 Sites Are Vulnerable

In Newsletter 6.8.3, the developers added the patches for both the vulnerability, and it was released on July 17, and till now, this version was downloaded 151,449 times. 

So, it clearly indicates that at least 150,000 WordPress sites with current Newsletter installations probably left open to potential attacks, if threat actors start utilizing these bugs for their purposes.

The security experts strongly recommended users to update their Newsletter plugin to the very new 6.8.3 version, so it will help users to block all unsudden and unwanted attacks. 

As the threat actors have hijacked the earlier version, and they are exploiting the website with all these users’ accounts. Apart from this, the security experts urged to follow the guidelines that have been provided by WordPress. 

The developer of this plugin advised all who were using this plugin to update their installation immediately to block unwanted attacks. 

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

“BootHole” Vulnerability in GRUB2 Bootloader Affects Billions of Windows and Linux Devices

D-Link Security Bug Let Hackers Allow to Compromise a Severe Network

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.