Date: Thu, 24 Jul 2014 12:34:23 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Subject: Re: CVE request: Mailpoet (wordpress-plugin) remote file upload exploited in the wild On Thu, Jul 24, 2014 at 11:26:08AM +0200, Hanno Böck wrote: > Hi, > > A remote file upload in the wordpress plugin Mailpoet is currently > widely exploited: > http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html > http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html > > It is fixed in the version 2.6.7. Upstream changelog: > http://wordpress.org/plugins/wysija-newsletters/changelog/ > Fixed security issue reported by Sucuri > > > The changelog lists also another security issue, fixed in version 2.6.8, > however without any details: > Fixed security issue reported by our dear Dominic. Thank you sir! > > I know that CVE requests without details aren't liked much here, > however at the moment I don't have the time to digg into version diffs. > > > Please assign CVE for the first and proceed how you think appropriate > for the second. > > > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: hanno@...eck.de > GPG: BBB51E42 Already assigned. Please see http://www.openwall.com/lists/oss-security/2014/07/02/1 thanks. Top 379 plugin in http://seclists.org/nmap-dev/2011/q2/352 by the way. --- Henri Salo Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ