Overview
A zero-day vulnerability on popular WordPress SMTP plugin allows attackers to reset admin account passwords and gain full site takeovers. The vulnerability is exploited in the wild and should be updated as soon as possible.
Description
Easy WP SMTP is a popular plugin used on more than 500,000 WordPress websites. The plugin allows website administrators to configure and send emails via a SMTP server.
According to Ninja Technologies Network, Easy WP SMTP 1.4.2 and older versions of the plugin contain a zero-day vulnerability that could allow attackers to reset admin account passwords.
The zero-day vulnerability stems from a feature that creates debug logs for all sent emails and stores the logs in its installation folder. Since a password reset involves sending an email with a reset link in its content, this information is stored in these logs too.
Thus, the first step to exploit the vulnerability is to request a password reset for the targeted web site. If directory listing is enabled, then all an attacker needs to do is to view the log file by simply typing the example URL given below and leverage it for password resets.
https://examplesite.net/wp-content/plugins/easy-wp-smpt/Note that, the mail log feature of the Easy WP SMTP does not constitute a vulnerability on its own. However, together with another popular vulnerability, that is, enabling directory traversal at websites, logs are exposed to the adversaries unintentionally.
This will surprise some of your readers, but my primary interest is not with computer security. I am primarily interested in writing software that works as intended.
Wietse Venema
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
Impact
An unauthenticated remote attacker can reset administrator password and gain full takeover of the targeted WordPress website.
Impact Summary
Category: Unauthenticated Password Reset
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
Solution (Update/Workaround)
To defend against possible attacks due to this vulnerability, vulnerable Easy WP SMTP (1.4.2 and older versions) plugins should be updated to the most recent version.
As a workaround, directory traversal should also be disabled to prevent direct access to the Easy WP SMTP log files and prevent potential other future attacks due to information leaks from the websites.
Also, as a rule of thumb, the attack surface should be decreased by identifying a minimal set of essential and critical plugins to be installed in WordPress. The selected plugins should come from trustworthy sources and and the most trusted version should be installed in your system. Don’t forget that each theme and plugin come with their own vulnerabilities to be exploited by the hackers. Read more on how to secure WordPress sites.
References to Advisories, Solutions and Tools
To learn more about how to protect your WordPress site, you can also read How to Secure Your WordPress Site?
