Re: CVE request: Mailpoet (wordpress-plugin) remote file upload exploited in the wild

[Henri Salo <henri () nerv fi>]

On Thu, Jul 24, 2014 at 11:26:08AM +0200, Hanno Böck wrote:
> Hi,
>
> A remote file upload in the wordpress plugin Mailpoet is currently
> widely exploited:
> http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
> http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
>
> It is fixed in the version 2.6.7. Upstream changelog:
> http://wordpress.org/plugins/wysija-newsletters/changelog/
> Fixed security issue reported by Sucuri
>
>
> The changelog lists also another security issue, fixed in version 2.6.8,
> however without any details:
> Fixed security issue reported by our dear Dominic. Thank you sir!
>
> I know that CVE requests without details aren't liked much here,
> however at the moment I don't have the time to digg into version diffs.
>
>
> Please assign CVE for the first and proceed how you think appropriate
> for the second.
>
>
> -- 
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno () hboeck de
> GPG: BBB51E42

Already assigned. Please see
http://www.openwall.com/lists/oss-security/2014/07/02/1 thanks. Top 379 plugin
in http://seclists.org/nmap-dev/2011/q2/352 by the way.

---
Henri Salo

Attachment: signature.asc
Description: Digital signature