Critical security update for MailPoet

Recently we were made aware of a security threat in the MailPoet plugin which could allow a potential hacker to upload PHP files onto your server and execute them, which is a very serious vulnerability.

We started working on a fix immediately and pushed it to the WordPress.org plugin repository as soon as possible. The fix is now available in MailPoet Newsletters version 2.6.7 2.6.8 and above.

If you haven’t updated yet to the latest version of the MailPoet plugin, please do so now. We recommend always running the latest version of core WordPress (currently 3.9.1) combined with the latest version of our plugin to keep your site as secure as possible.

To install the MailPoet update, go to your site’s Dashboard > Updates and you’ll see the MailPoet plugin update listed under the “Plugins” section. Alternatively you’ll find it in Plugins > Installed Plugins > Update Available, or the latest version is available in the WordPress.org repository.

We take your site’s security very seriously and we will continue to work hard to keep the MailPoet plugin secure, in addition to useful, for all our users.

Update

If you have a version of MailPoet older than 2.6.7 2.6.8 that you still want to use; whether that’s because you have a few customization of our plugin you want to keep or some other reason. We now have a standalone plugin which will protect your site from this security threat on all the previous versions of MailPoet. Download it here.

This being said, we highly encourage you to keep running the latest version of  our plugin on all of your sites to stay on the safe side.

DISCUSSION

    Author’s gravatar

    Thanks for your email on ur latest security update. Appreciate much this follow up.

    Author’s gravatar

    Does this mean that 2.6.7 is the update or that there is an update for 2.6.7?

    I have been running 2.6.7 for more than a few days, I am sure!

    Author’s gravatar

    Paul,

    2.6.7 2.6.8 and above is the safe version. You’re good to go!

    Cheers!

    Author’s gravatar

    We were victim of a hacker through this leak. Very happy to see that you have done something with our comments. Thanks!

    Author’s gravatar

    I’m very sorry to hear about that Natascha.
    Thanks for your patience and kindness.

    Author’s gravatar

    I believe your plugin affected my WP site as well! It is still down, and trying to go back to previous version. On what DATE was version 2.6.5 or 2.6.7 of your (BAD) plugin released, so that I can go to a previous backup?

    Author’s gravatar

    Hello,
    I’ve update Mailpoet but now, I can’t set the size of my title.
    the size of the titles have the same size as the text in preview and mails, except in the edit view of the template everything looks fine.

    Author’s gravatar

    The standalone plugin contains a bug.

    The last line:

    add_filter( ‘site_transient_update_plugins’, ‘filter_plugin_updates’ );

    Should be:

    add_filter( ‘site_transient_update_plugins’, ‘filter_plugin_updates’ );

    Author’s gravatar

    The standalone plugin contains a bug.

    The last line:

    add_filter( ‘site_transient_update_plugins’, ‘filter_plugin_updates’ );

    Should be:

    add_filter( ‘site_transient_update_plugins’, ‘mpoet_retro_safe_filter_plugin_updates’ );

    Author’s gravatar

    thanks for the feedback Benny!

    I’ve updated it.

    Cheers!

    Author’s gravatar

    Hello,
    Since a few days the site started producing spam-mails. We have updated Mailpoet with the recommended update but it did not help.
    Any idea of workaround?
    Thanks
    Jan

    Author’s gravatar

    Hello Jan,

    If your site has been infected already, you’ll need to inspect the following folders and all of its subfolders:
    wp-content/uploads/wysija

    And look for PHP files, these PHP files need to be removed.

    Get in touch with us here, if you need help with that:
    http://support.mailpoet.com/feedback

Comments are closed.