Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Jul 2014 11:26:08 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: CVE request: Mailpoet (wordpress-plugin) remote file upload
 exploited in the wild

Hi,

A remote file upload in the wordpress plugin Mailpoet is currently
widely exploited:
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html

It is fixed in the version 2.6.7. Upstream changelog:
http://wordpress.org/plugins/wysija-newsletters/changelog/
Fixed security issue reported by Sucuri


The changelog lists also another security issue, fixed in version 2.6.8,
however without any details:
Fixed security issue reported by our dear Dominic. Thank you sir!

I know that CVE requests without details aren't liked much here,
however at the moment I don't have the time to digg into version diffs.


Please assign CVE for the first and proceed how you think appropriate
for the second.


-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ