Recently we were made aware of a security threat in the MailPoet plugin which could allow a potential hacker to upload PHP files onto your server and execute them, which is a very serious vulnerability.
We started working on a fix immediately and pushed it to the WordPress.org plugin repository as soon as possible. The fix is now available in MailPoet Newsletters version
2.6.7 2.6.8 and above.
If you haven’t updated yet to the latest version of the MailPoet plugin, please do so now. We recommend always running the latest version of core WordPress (currently 3.9.1) combined with the latest version of our plugin to keep your site as secure as possible.
To install the MailPoet update, go to your site’s Dashboard > Updates and you’ll see the MailPoet plugin update listed under the “Plugins” section. Alternatively you’ll find it in Plugins > Installed Plugins > Update Available, or the latest version is available in the WordPress.org repository.
We take your site’s security very seriously and we will continue to work hard to keep the MailPoet plugin secure, in addition to useful, for all our users.
If you have a version of MailPoet older than
2.6.7 2.6.8 that you still want to use; whether that’s because you have a few customization of our plugin you want to keep or some other reason. We now have a standalone plugin which will protect your site from this security threat on all the previous versions of MailPoet. Download it here.
This being said, we highly encourage you to keep running the latest version of our plugin on all of your sites to stay on the safe side.