OptimizePress–0day in Wild

I know many of you use OptimizePress, but there is an unauthenticated file upload vulnerability with the code which essentially means a hacker can upload code to your server and have that code be executed. Disabling the plugin will not do you any good, but adding an .htaccess rule to protect your /wp-content/themes/OptimizePress/lib/admin/ should reduce the risk, but I’m not sure if it will break all your landing pages. Deleting the file “media-upload.php” from that same directory will give you the most surety to removing the vulnerability while keeping your existing landing pages working.

Note that the original exploit code was posted on PasteBin on November 21st, and it appears that sites have been exploited already.

Stay safe out there!

Leave a Reply

Your email address will not be published.