[wp-forums] Mailpoet exploit

andrew nevins andrew.nevins.misc at gmail.com
Thu Jul 24 15:58:01 UTC 2014 

Understood


On Thu, Jul 24, 2014 at 2:56 PM, Half-Elf on Tech <ipstenu at halfelf.org>
wrote:

> Ok, please DO NOT tell them to email plugins UNLESS there’s a NEW exploit
>
> The majority of people who GET hacked have no idea how to determine if a
> plugin has an exploit, so while it’s good to have them tell us ‘Plugin X is
> hacked!’ it sucks to explain “Well, how do you KNOW?” and have to teach
> ‘em. Please please PLEASE take the time and effort to make 100% sure that
> it’s THIS plugin with a hack you can confirm before you email plugins,
> otherwise it takes an insane amount of time and effort to straighten scared
> people out, who then get pissed off that the PLUGINS TEAM isn’t going to
> walk them through de-hacking.
>
> 1) There is a known exploit in the OLDER version of MailPoet, we all know
> this.
>
> 2) In breaking news, NOT upgrading your plugins leaves you vulnerable.
>
> Sucuri didn’t contact plugins. They rarely do (in fact, I can’t remember
> ever…). We are aware, but we found out about the hack at the time the
> plugin was upgraded in trac, so we did nothing because that’s what we do.
> If the plugin is fixed, there’s nothing to do but tell people to upgrade.
>
> On 24 July, 2014 at 24 Jul - 5:43:25 AM, Mark Ratledge (
> mark at markratledge.com) wrote:
>
> I'm sure sucuri has, but I had searched the forums and didn't see any
> menton of the mailpoet exploit execept for threads in the pluigin forum
> itself. Never mind, I shouldn't have brought it up, everyone already knows
> :)
>
> On Jul 24, 2014, at 2:27 AM, andrew nevins wrote:
>
> > I've been telling people on the forums that think there's an issue with
> > MailPoet is insecure to contact plugins at wordpress.org, but I didn't
> realise
> > they were getting information from other sources. Just thought they were
> > running their site through malware detectors and it was blaming plugins,
> so
> > I'm sure that sucuri have already contacted WordPress about this.
> >
> >
> > On Thu, Jul 24, 2014 at 5:22 AM, Mark Ratledge <mark at markratledge.com>
> > wrote:
> >
> >> I meant that maybe people were thinking they got brute forced when it
> fact
> >> it was that plugin or that plugin in an adjacent account. In any event,
> >> pretty much the same result.
> >>
>
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums
> --
> Half-Elf on Tech
> Sent with Airmail
> _______________________________________________
> wp-forums mailing list
> wp-forums at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-forums
>

More information about the wp-forums mailing list