As many as 50,000 websites have been remotely commandeered by attackers exploiting a recently patched vulnerability in a popular plugin for the WordPress content management system, security researchers said Wednesday.

Further Reading WordPress plugin with 1.7 million downloads puts sites at risk of takeover

As Ars reported in early July , the vulnerability in MailPoet , a WordPress plugin with more than 1.7 million downloads, allows attackers to upload any file of their choice to vulnerable servers. In the three weeks since then, attackers have exploited the bug to install a backdoor on an estimated 30,000 to 50,000 websites, some that don't even run WordPress software or that don't have MailPoet enabled, according to Daniel Cid, CTO of security firm Sucuri.

"To be clear, the MailPoet vulnerability is the entry point," he wrote in a blog post. "It doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website." In an e-mail to Ars, he elaborated:

The malware injection code is actually trying to compromise all PHP files that it can on the server. So if you have a site at /var/www/site1.com with MailPoet and another site at /var/www/site2.com without it, the malware injector from site1.com will try to compromise site2.com as well. We had a client that all his 20+ sites got injected, because one site inside the same shared account had MailPoet on it. That's why we were seeing Joomla and Magento sites with the same malware as well. Took us a bit of time to connect all the dots and find the entry point on them.

Sucuri researcher Peter Gramantik first reported the mass exploitation affecting WordPress Tuesday. The injected malware installs a backdoor account that gives attackers full administrative control. It also injects backdoor code into all themes and core files. Making matters worse, the malicious code also overwrites valid files, a side effect that causes many sites to fall over and display the message: "Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91."

Cid has said that the only safe version of MailPoet is the recently released 2.6.7, which should be installed immediately on all vulnerable servers. MailPoet gives sites added abilities to create newsletters and automatically post notifications and responses.