As many as 50,000 websites have been remotely commandeered by attackers exploiting a recently patched vulnerability in a popular plugin for the WordPress content management system, security researchers said Wednesday.
"To be clear, the MailPoet vulnerability is the entry point," he wrote in a blog post. "It doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website."
The malware injection code is actually trying to compromise all PHP files that it can on the server. So if you have a site at /var/www/site1.com with MailPoet and another site at /var/www/site2.com without it, the malware injector from site1.com will try to compromise site2.com as well. We had a client that all his 20+ sites got injected, because one site inside the same shared account had MailPoet on it. That's why we were seeing Joomla and Magento sites with the same malware as well. Took us a bit of time to connect all the dots and find the entry point on them.
Edited by NickAu1, 23 July 2014 - 08:41 PM.