Date: Thu, 24 Jul 2014 11:26:08 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: CVE request: Mailpoet (wordpress-plugin) remote file upload exploited in the wild Hi, A remote file upload in the wordpress plugin Mailpoet is currently widely exploited: http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html It is fixed in the version 2.6.7. Upstream changelog: http://wordpress.org/plugins/wysija-newsletters/changelog/ Fixed security issue reported by Sucuri The changelog lists also another security issue, fixed in version 2.6.8, however without any details: Fixed security issue reported by our dear Dominic. Thank you sir! I know that CVE requests without details aren't liked much here, however at the moment I don't have the time to digg into version diffs. Please assign CVE for the first and proceed how you think appropriate for the second. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ