CVE request: Mailpoet (wordpress-plugin) remote file upload exploited in the wild

[Hanno Böck <hanno () hboeck de>]

Hi,

A remote file upload in the wordpress plugin Mailpoet is currently
widely exploited:
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

It is fixed in the version 2.6.7. Upstream changelog:
http://wordpress.org/plugins/wysija-newsletters/changelog/
Fixed security issue reported by Sucuri


The changelog lists also another security issue, fixed in version 2.6.8,
however without any details:
Fixed security issue reported by our dear Dominic. Thank you sir!

I know that CVE requests without details aren't liked much here,
however at the moment I don't have the time to digg into version diffs.


Please assign CVE for the first and proceed how you think appropriate
for the second.


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description: