Newsletter WordPress Plugin Opens Door to Site Takeover

2020-08-04 18:11

Newsletter, a WordPress plugin with more than 300,000 installations, has a pair of vulnerabilities that could lead to code-execution and even site takeover.

The Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress.

The vulnerability could be used to inject a PHP object that in turn could be processed by code from another plugin or theme, and used to execute arbitrary code, upload files or "Any number of other tactics that could lead to site takeover," the firm warned.

Php file containing the WordPress site's core configuration settings by sending a specially crafted payload. "The deletion of the wp-config.php file would reset the site and allow an attacker to take over by pointing the site's new configuration to a remote database under their control," explained Wordfence.

In May, Page Builder by SiteOrigin, a WordPress plugin with a million active installs that's used to build websites via a drag-and-drop function, was found to harbor two flaws that could allow full site takeover.

News URL

https://threatpost.com/newsletter-wordpress-plugin-site-takeover/158025/

#wordpress #takeover

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Wordpress		7	2	95	44	18	159
Plugin		2	0	13	1	0	14