Critical security update for MailPoet
Recently we were made aware of a security threat in the MailPoet plugin which could allow a potential hacker to upload PHP files onto your server and execute them, which is a very serious vulnerability.
We started working on a fix immediately and pushed it to the WordPress.org plugin repository as soon as possible. The fix is now available in MailPoet Newsletters version 2.6.7 2.6.8 and above.
If you haven’t updated yet to the latest version of the MailPoet plugin, please do so now. We recommend always running the latest version of core WordPress (currently 3.9.1) combined with the latest version of our plugin to keep your site as secure as possible.
To install the MailPoet update, go to your site’s Dashboard > Updates and you’ll see the MailPoet plugin update listed under the “Plugins” section. Alternatively you’ll find it in Plugins > Installed Plugins > Update Available, or the latest version is available in the WordPress.org repository.
We take your site’s security very seriously and we will continue to work hard to keep the MailPoet plugin secure, in addition to useful, for all our users.
Update
If you have a version of MailPoet older than 2.6.7 2.6.8 that you still want to use; whether that’s because you have a few customization of our plugin you want to keep or some other reason. We now have a standalone plugin which will protect your site from this security threat on all the previous versions of MailPoet. Download it here.
This being said, we highly encourage you to keep running the latest version of our plugin on all of your sites to stay on the safe side.
Dan Voye
Thanks for your email on ur latest security update. Appreciate much this follow up.
Paul
Does this mean that 2.6.7 is the update or that there is an update for 2.6.7?
I have been running 2.6.7 for more than a few days, I am sure!
Ben
Paul,
2.6.72.6.8 and above is the safe version. You’re good to go!Cheers!
Natascha
We were victim of a hacker through this leak. Very happy to see that you have done something with our comments. Thanks!
Ben
I’m very sorry to hear about that Natascha.
Thanks for your patience and kindness.
Leslie
I believe your plugin affected my WP site as well! It is still down, and trying to go back to previous version. On what DATE was version 2.6.5 or 2.6.7 of your (BAD) plugin released, so that I can go to a previous backup?
Ben
Hey Leslie,
I’m sorry to hear that!
All the old versions of MailPoet have this security issue, only our latest version
2.6.72.6.8 and above is safe.Your site maybe down for other reasons, a common one is memory limit, read more in the article below:
http://support.mailpoet.com/knowledgebase/allocated-memory-size-issue/
whoaloic
Hello,
I’ve update Mailpoet but now, I can’t set the size of my title.
the size of the titles have the same size as the text in preview and mails, except in the edit view of the template everything looks fine.
Ben
Hello Whoaloic,
Thanks for reaching out, we’re currently working on a fix for that particular problem.
Get in touch with our support team through this form here:
http://support.mailpoet.com/feedback/
We’ll help you out.
Cheers!
Francesco
I cannot edit MODULES
SAVE Button doesn’t work.
Ben
Hey Francesco,
Can you please get in touch with our support team so that we give you a hand on this:
http://support.mailpoet.com/feedback/
It will be easier to help you from there.
Thanks!
Benny V
The standalone plugin contains a bug.
The last line:
add_filter( ‘site_transient_update_plugins’, ‘filter_plugin_updates’ );
Should be:
add_filter( ‘site_transient_update_plugins’, ‘filter_plugin_updates’ );
Benny V
The standalone plugin contains a bug.
The last line:
add_filter( ‘site_transient_update_plugins’, ‘filter_plugin_updates’ );
Should be:
add_filter( ‘site_transient_update_plugins’, ‘mpoet_retro_safe_filter_plugin_updates’ );
Ben
thanks for the feedback Benny!
I’ve updated it.
Cheers!
Jan
Hello,
Since a few days the site started producing spam-mails. We have updated Mailpoet with the recommended update but it did not help.
Any idea of workaround?
Thanks
Jan
Ben
Hello Jan,
If your site has been infected already, you’ll need to inspect the following folders and all of its subfolders:
wp-content/uploads/wysija
And look for PHP files, these PHP files need to be removed.
Get in touch with us here, if you need help with that:
http://support.mailpoet.com/feedback