Easy WP SMTP WordPress Plugin Exploited In The Wild
Popular WordPress plugin vulnerable to unauthenticated attacks continues to be targeted despite the availability of a patch.
Background
On March 17, researchers at Ninja Technologies Network (NinTechNet) published a blog about their discovery of a critical zero-day vulnerability in the Easy WP SMTP plugin that attackers began exploiting in the wild on March 15. According to WordPress, the Easy WP SMTP plugin has over 300,000 active installations. The Easy WP SMTP plugin authors released a patched version of the plugin on March 17. However, researchers at Defiant continue to observe attacks in the wild targeting this plugin.
Analysis
The vulnerability exists in version 1.3.9 of the Easy WP SMTP plugin. It was reportedly introduced when the authors added Import/Export functionality to the admin_init function. According to NinTechNet, this function is used to “view/delete the log, import/export the plugin configuration and to update options in the WordPress database.” The issue appears to be that any logged-in user is capable of executing these commands, as the code does not validate their privileges. What makes this more severe is the plugin’s use of AJAX, which is available in the admin_init function and allows unauthenticated users to execute these commands without logging into a vulnerable site.
Proof of concept
NinTechNet provided a proof of concept in its blog post that uploads a file to a vulnerable WordPress site, modifying its settings to allow any user to register on the site and grant administrator permissions to all users. They also mention that this vulnerability could be leveraged to achieve remote code execution.
Solution
The Easy WP SMTP plugin was updated to version 1.3.9.1 on March 17 to address this vulnerability. It is important for site administrators to ensure this plugin is up to date.
Site administrators must regularly review what plugins are running on their sites and whether they are up-to-date. Plugin updates may contain fixes for security issues and failure to update can leave sites vulnerable to compromise.
Identifying affected systems
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
Get more information
- NinTechNet blog post
- Wordfence report on exploitation in the wild
- Easy WP SMTP plugin description page
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Related Articles
Walking the Walk: How Tenable Embraces Its "Secure by Design" Pledge to CISA
November 25, 2024As a cybersecurity leader, Tenable was proud to be one of the original signatories of CISA’s “Secure by Design" pledge” earlier this year. Our embrace of this pledge underscores our commitment to security-first principles and reaffirms our dedication to shipping robust, secure products that our users can trust. Read on to learn how we’re standing behind our pledge.
Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
November 22, 2024Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
