Newsletter, a free WordPress plugin with more than 300,000 installations, was found to contain multiple vulnerabilities that could eventually lead to the takeover of an affected website. The bugs were discovered by the Wordfence team who notified the developer of the plugin.
About the Newsletter plugin
The Newsletter plugin facilitates a visual editor that you can use to create newsletters and email campaigns from your WordPress dashboard. There is a wide range of ready-to-use templates available, but the drag and drop function makes it very easy for beginners to build beautiful layouts themselves. In addition, the plugin contains all kinds of features to track your newsletters and view statistics.
Research by the Wordfence team has uncovered two vulnerabilities. The first is a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious code so that so-called backdoors can be created. Malicious parties can also create an admin account for themselves. The second problem concerns a PHP object-injection vulnerability. This can be used to execute arbitrary code and upload files, among other things. This vulnerability could also lead to complete website takeover.
The developers of the Newsletter plugin have taken immediate action after being made aware of the vulnerabilities. An update with patches has now been released.
Users are therefore advised to update to the most recent version of Newsletter as soon as possible. At the moment this is version 6.8.2.
Wordfence premium users are protected by a new firewall rule. This will also be made available on August 15 to those who use the free version of the Wordfence plugin. Nevertheless, it is always advisable to keep your WordPress plugins up to date.
If you want to know more about the vulnerabilities in the Newsletter plugin, you can read this blog post on the Wordfence website.