Sucuri discovered the vulnerability, and informed the MailPoet team, gave them information and time to fix the issue. The MailPoet team did resolved it, but Sucuri disclosed the vulnerability to the wild just within 24hr of MailPoet released the update at WordPress.org.
This is not a Responsible Disclosure! We all are glad to Sucuri that they discovered the issue and informed the developer, but how on earth they expected a plugin which is downloaded more then 2 million times, and one of the most used plugin in its sector, could force their user to update to latest version within 24hr?
Result – 50 thousand WordPress site hacked using this exploit!