Heads up, WordPress admins. The WordPress SMTP plugin has a serious vulnerability that allows an adversary to reset passwords and hack accounts. Update your site now to the latest plugin version, if haven’t done it already.
WordPress SMTP Plugin Vulnerability
Researchers from NinTechNet have discovered a serious vulnerability affecting the WordPress SMTP plugin.
Specifically, they found a password reset flaw in the Easy WP SMTP plugin that could allow admin account takeovers. What’s alarming here is that the researchers noticed active exploitation of this flaw before it could receive a fix.
Elaborating the details in a blog post, the researchers revealed that the plugin lacked an index.html file. Hence, it became possible for an adversary scanning directory listing-enabled servers to view the log files containing information.
The Easy WP SMTP plugin has an optional debug log where it writes all email messages (headers and body) sent by the blog. It is located inside the plugin’s installation folder, “/wp-content/plugins/easy-wp-smtp/”. The log is a text file with a random name, e.g., 5fcdb91308506_debug_log.txt.
Eventually, an attacker could easily scan for admin login usernames via the REST API or by scanning author archives. After that, request a password reset could allow the attacker to change the password and sign-in, thereby locking out the actual site admins.
Once done, the attacker could take over the site for any malicious activities. The researchers observed the installation of rogue plugins in case of most site hacks.
Patch Released For The Zero-Day
NinTechNet, upon discovering the bug, reached out to the plugin developers who, in turn, released a fix.
The vulnerability basically affected the plugin versions 1.4.2 and below. Hence, the developers patched the flaw with the release of version 1.4.3.
Nonetheless, the researchers have warned of the active exploitation of the bug in the wild already.
This vulnerability is currently exploited, make sure to update as soon as possible to the latest version.
Therefore, all users must ensure updating their sites with the latest plugin version. According to the stats visible on the Easy WP SMTP plugin page, many websites are still running the older versions.
Easy WP SMTP presently boasts over 500,000 installations, according to the plugin page. It means the vulnerability posed a threat to thousands of websites and blogs globally.
The current plugin version is 1.4.4 – users must make sure that their websites are running on this plugin version.
Let us know your thoughts in the comments.