Tens of thousands of websites running on WordPress, the most popular blogging software on the Internet, have been compromised due to a newly discovered vulnerability. A torrent of blogs have already been defaced, injected with malware, or even shut down.
Well over a million more websites are now at risk unless they upgrade to the newest version of WordPress and MailPoet, a WordPress plugin with over 1.7 million downloads, as soon as possible.
Daniel Cid, of security firm Sucuri, discovered the new exploit when he noticed a rapid spike in WordPress websites being infected with malware as a result of a vulnerability in the MailPoet, software that allows WordPress users to create and manage email lists.
To add to the problem, websites don’t even need to have MailPoet enabled or even installed on their own website. If, like most WordPress users, your site resides on a server with other websites, your vulnerable if MailPoet resides on a neighboring website.
The attacks are always the same: A malicious custom theme is uploaded to the targeted site and a backdoor then allows adversaries to take full control.
“The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place,” Cid wrote.