The plugin’s installations are more than 500,000, meaning that half a million websites are at risk. Furthermore, threat actors exploit the zero-day to reset admin account passwords and install rogue plugins on targeted websites.
Table of Contents [hide]
Easy WP SMTP WordPress plugin zero-day vulnerability
The vulnerable version of Easy WP SMTP plugin is 1.4.2 and below. Unpatched websites could enable an unauthenticated user to reset the admin password, the researchers warned. NinTechNet researchers discovered the issue.
Where does the zero-day stem from?
The Easy WP SMTP utility is designed to help users configure and send outgoing emails via a SMTP server. The purpose of the plugin is to prevent emails from going into the recipients’ junk or spam folder.
The plugin has an optional debug log where it keeps all email messages the website sends. The log is a text file with a random name located inside the plugin’s installation folder. Since the folder doesn’t have an index.htlm file, threat actors can find and view the log on servers with directory listing enabled.
The next step of the attack is finding the admin login name, which can be done via the REST API or author archive scans. Next, hackers can access the login page and ask attempt to reset the admin password. Then, the debug log file needs to be accessed to copy the reset link WordPress sent. This link is used to reset the admin password.
Successful attacks against sites running the vulnerable version of Easy WP SMTP show hackers are using the zero-day to install malicious plugins.
To avoid any issues, users of the plugin should immediately update to the latest version. Another security tip is disabling the debug log because it could leak sensitive details such as passwords and messages.
Last week, Wordfence security researchers disclosed several vulnerabilities in another WordPress plugin, PageLayer. 200,000 websites were at risk.
If you want to stay informed about WordPress security, we advise you to keep an eye on HowToHosting.guide. We cover the latest news daily.