MailPoet users, we are really sorry.
The last week exploit was bad, and we should have never released a WordPress plugin with that in it.
We kept researching and running security tests on our plugin to see if we were missing something else.
A few hours ago Dominic Lüchinger, security engineer (https://twitter.com/drdol), contacted us to disclose a possible attack leveraging the way PHP merges into the REQUEST array all GET, POST and cookies parameters. It’s directly related to the previous vulnerability, and we just released a new version 2.6.8 to address this particular threat.
It’s common thinking that WordPress is an insecure platform and all plugins are full of exploits. We need to change this right now!
We are introducing internal security reviews where we’ll run penetration tests on internal WordPress websites in order to catch exploits faster.
We are also introducing a bounty program for exploits. Please contact us and we’ll let you know how to get in touch on a secure channel.
We value the privacy and security of our users above any other thing, and we’ll work every day to avoid things like these happen again.
On your side, please keep your plugins always up to date. If you can’t because you customized a particular version, please download the standalone security package that has been updated too.
How to install the standalone plugin?
- Download the plugin here
- In your Admin, go to menu Plugins > Add
- Select the tab “Upload”
- Upload the .zip file you just downloaded
- Activate the plugin
- That’s it!