There are two cybersecurity companies have detected Zero-Day vulnerability in WordPress SMTP Plugin.
Easy WP SMTP allows you to Send email using an SMTP server. It configures to send all outgoing emails via an SMTP server. This will prevent your emails from going into the junk/spam folder of the recipients.
Moreover 300,00 active installs in WordPress websites. First found by Ninja Technology
The vulnerability was found in 1.3.9 version and it has been exploited by hackers since last 15 March, was detected by NinjaFirewall and Wordfence.
If you are still using the old version of Easy WP SMTP then you should need to update 18.104.22.168 version.
According to NinTechNet, hackers modified the “wp_user_roles” option in the database and to give administrator capabilities to all users. Unlike creating an admin account, which can be easily detected in the WordPress “Users” section
This means that hackers would register new accounts that appeared as subscribers in the WordPress site’s database, but change the permissions abilities as admin can do.
According to Wordfence, the hackers can modify the setting default_role to “administrator”, and enabling users_can_register. Then, the attacker uses these new settings to register an administrator user for themselves.
Other vulnerabilities could be exploited such as:
- Remote Code Execution via PHP Object Injection because Easy WP SMTP makes use of unsafe unserialize() calls.
- Viewing/deleting the log (or any file, since hackers can change the log filename).
- Exporting the plugin configuration which includes the SMTP host, username and password and using it to send spam emails.
- Interestingly, all attempts caught by our firewall on March 15 showed that hackers tried to exploit the vulnerability to alter the content of the WordPress wp_user_roles option in the database and to give administrator capabilities to all users.
Both of the campaigns launch their initial attacks identically, by using the proof of concept (PoC) exploit.
As always, it’s important for users to regularly update their plugins in order to apply the security patches for vulnerabilities like these.
Easy WP SMTP version 22.214.171.124 prevents unauthenticated access and fixed a potential vulnerability in import and export settings.