Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 24 Jul 2014 12:34:23 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: Mailpoet (wordpress-plugin) remote
 file upload exploited in the wild

On Thu, Jul 24, 2014 at 11:26:08AM +0200, Hanno Böck wrote:
> Hi,
> 
> A remote file upload in the wordpress plugin Mailpoet is currently
> widely exploited:
> http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
> http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html
> 
> It is fixed in the version 2.6.7. Upstream changelog:
> http://wordpress.org/plugins/wysija-newsletters/changelog/
> Fixed security issue reported by Sucuri
> 
> 
> The changelog lists also another security issue, fixed in version 2.6.8,
> however without any details:
> Fixed security issue reported by our dear Dominic. Thank you sir!
> 
> I know that CVE requests without details aren't liked much here,
> however at the moment I don't have the time to digg into version diffs.
> 
> 
> Please assign CVE for the first and proceed how you think appropriate
> for the second.
> 
> 
> -- 
> Hanno Böck
> http://hboeck.de/
> 
> mail/jabber: hanno@...eck.de
> GPG: BBB51E42

Already assigned. Please see
http://www.openwall.com/lists/oss-security/2014/07/02/1 thanks. Top 379 plugin
in http://seclists.org/nmap-dev/2011/q2/352 by the way.

---
Henri Salo

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ