Websites that run WordPress and MailPoet, a plugin with more than 1.7 million downloads, are susceptible to hacks that give attackers almost complete control, researchers have warned.

"If you have this plugin activated on your website, the odds are not in your favor," Daniel Cid, CTO of security firm Sucuri, warned in a blog post published Tuesday. "An attacker can exploit this vulnerability without having any privileges/accounts on the target site. This is a major threat, it means every single website using it is vulnerable."

The bug allows attackers to remotely upload any file of their choice to vulnerable servers. Cid declined to provide specifics about the flaw other than to say it's the result of the mistaken assumption that WordPress admin_init hooks are called only when a user with administrator privileges visits a page inside the /wp-admin directory. In fact, "any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated." The behavior makes it possible for anyone to upload files on vulnerable sites. The only safe version is the just released 2.6.7, which should be installed immediately on all vulnerable websites. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses.

"This bug should be taken seriously," Cid wrote. "It gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host[ing] malware, infect[ing] other customers (on a shared server), and so on!!"

The bug report comes less than a week after the disclosure of a critical vulnerability in the TimThumb plugin that permitted attackers to execute malicious code. That flaw has now been patched. In the past few years, attackers looking to build large botnets have increasingly shifted their focus away from computers running Windows to servers running WordPress, the Apache Web server, and similar server-based programs. The vulnerabilities underscore the importance of promptly installing any updates available for the WordPress content management system as well as any plugins that may be installed on top of it.