[Plugin: Subscribe2] My site was hacked and sent out mass emails from this plugin

Resolved pluto459
(@pluto459)

11 years, 11 months ago

I was just notified by my host that I was sending out 20000 emails and was in violation of TOS for sending more then allowed. I replied WHAT IN the world are you talking about.

They said this plugin was sending out the emails. The strangest part was that the email had content and a link to my site and looked as if I had actually done the email list. Problem is NO ONE set up the list or attempted to send these emails out, yet it happened.

This is not the first time I have seen strange behavior using this plugin and figured since was updated would have corrected the backdoor that was left that allowed people to post content to my site through the plugin.

This post is directed at the makers, since there was no contact link and stated to post on the forum.

I need answers as to how someone was able to access my site through your plugin and was allowed to create an email list.

http://wordpress.org/extend/plugins/subscribe2/

Viewing 9 replies - 16 through 24 (of 24 total)

← 1 2

Thread Starter pluto459
(@pluto459)

11 years, 11 months ago

AS stated EARLIER, plugin was thought to be sharethis and not any email plugin. Was installed for over two years and never an issue. THEN sent out over 20000 emails in an hour.

Regardless if I set it up and activated it that is not normal.

Frumph
(@frumph)

11 years, 11 months ago

^ just to interject.

the Subscribe2 plugin has a vulnerability where anyone from outside can send emails through it by sending info to the plugins url with your domain and the content they want to go out, which includes lists of recipients.

mattyrob
(@mattyrob)

11 years, 11 months ago

@frumph,

Thanks for raising this as a security issue, if you would send me more details and a proof of concept via here I can investigate and patch if necessary.

As far as I’m aware I’ve implemented the WordPress nonce security so what you are suggesting should not be possible – but perhaps I’ve done something wrong or there is a flaw in the nonce security.

Jason LeMahieu (MadtownLems)
(@madtownlems)

11 years, 7 months ago

Any update on the supposed vulnerability?

And, as always, thanks MattyRob for the plugin, all your work, and all your support. Some of us really appreciate it 🙂

mattyrob
(@mattyrob)

11 years, 7 months ago

@madtownlems,

I don’t recall ever having any follow up contact on this so as yet any security vulnerability remains unconfirmed.

inndesign
(@inndesign)

11 years, 1 month ago

What Frumph described just happened to my client too. Somehow, a hacker is using the Subscribe2 software to email to the installed client list remotely, with malware attached. The site is secure, the password seriously encrypted, no activity is shown from the hosted account or the blog itself in the sense of a unknown IP accessing the site in any manner. Still trying to define the details.

mattyrob
(@mattyrob)

11 years ago

@inndesign,

Access the site via FTP and erase the Subscribe2 folder. Then install and run the Exploit Scanner plugin. I suspect you will find a few remaining back doors for the hacker.

If you can identify any vulnerability in Subscribe2 I can fix it but as far as I know the code is secure.

cdogstu99
(@cdogstu99)

11 years ago

Folks, same thing happened to me. I use the subscribe2 plugin to send out emails to clients for new posts. Knew something was wrong when none of my emails were going through. The hackers were sending thousands of email an hour and it in turn led to my site being marked as a spammer. I am now removing the plugin.

mattyrob
(@mattyrob)

11 years ago

@cdogstu99,

Subscribe2 is a plugin designed to send out emails when a post is published, periodically or manually. If you site us hacked and this plugin is present (or even installed by the hacker) that doesn’t mean the plugin was the source of the hack, simply a bonus for the hacker.

You site may have been vulnerable due to other reasons like weak password, WordPress being out of date, sharing passwords with other accounts or using FTP when FTPS is more secure.

The code is open source and has been reviewed before and as I’ve said before, until I am shown a proof if concept for an exploit in the code I cannot patch any presumed security holes.