A serious vulnerability in a popular newsletter plug-in for the Wordpress digital publishing platform has resulted in a mass infection of websites, researchers claimed today.
Although the hole in the Mailpoet newsletter was discovered in early July and plugged soon after by the developers, many sites have yet to upgrade to the latest, secure version.
Website security provider Sucuri reported the flaw, and said since its discovery earlier this month, up to 50,000 Wordpress sites have been hacked, with a large spike in infections from Monday this week.
More systems are becoming compromised and the infection is spreading beyond just Wordpress, Sucuri chief technology officer Daniel Cid told iTnews.
"It is very hard to know the exact number of infected sites, but we are estimating around 50,000. Just on our sitecheck scanner, we are seeing a few thousand each day," Cid said.
"The initial compromise happens on Wordpress, but if on the same server there are other sites, the malware will try to spread there. So you might see Magento or Joomla sites hacked because of such cross-site contamination."
Cid said infections arise after a malicious custom theme is uploaded to a website, setting up a backdoor. Once the backdoor is active, attackers can gain full control of the site.
"The Backdoor is very nasty and creates an admin user called 1001001. It also injects a backdoor code to all theme/core files. The biggest issue with this injection is that it often overwrites good files, making very hard to recover without a good backup in place," Cid wrote in a blog post.
Cid said the vulnerability allows attackers to inject anything from malware to spambots on a website.
The injected malware is also buggy, he said, and breaks many websites by overwriting good files and appending statements in programming loops.
Mailpoet has acknowledged the problem, and apologised earlier this month for releasing the insecure Wordpress plugin.
To prevent future exploits, Mailpoet said it will run internal security reviews with penetration tests to catch issues before plug-ins are released. It has also introduced a bug bounty program for those who find exploits.