Easy WP SMTP Security Bug Can Reveal Admin Credentials

East WP SMPT bug

A poorly configured file opens users up to site takeover.

Easy WP SMTP, a WordPress plugin for email management that has more than 500,000 installations, has a vulnerability that could open the site up to takeover, researchers said.

Easy WP SMTP allows users to configure and send all outgoing emails via a SMTP server, so that they don’t end up in the recipient’s junk/spam folder. Version 1.4.2 and below contains a flaw in the debug file that is exposed because of a fundamental error in how the plugin maintains a folder, according to researchers at GBHackers.

“[The vulnerability] would allow an unauthenticated user to reset the admin password which would enable the hacker to take complete control of the website,” according to a Monday posting.

Threatpost Webinar Promo Bug Bounty

Click to register.

This optional debug log is where the plugin writes all email messages (headers and body) sent by the website. It is located inside the plugin’s installation folder, “/wp-content/plugins/easy-wp-smtp/,” researchers said.

The log is a simple text file; and the plugin’s folder doesn’t have an index.html file, so that on servers that have directory listing enabled, hackers can find and view the log, paving the way for a username enumeration scan. This can allow attackers to find the admin login.

“Hackers can also perform the same task using the author achieve scans (/?author=1),” the researchers explained. “They access the login page and ask for the reset of the admin password. Then, they access the Easy WP SMTP debug log again in order to copy the reset link sent by WordPress. Once the link is received, they reset the admin password.”

Logging into the admin dashboard gives attackers run of the site, including the ability to install rogue plugins, the researchers said.

Users should update to the current version 1.4.4 to patch the issue.

Problematic Plugins

WordPress plugins continue to provide a convenient avenue to attack for cybercriminals.

In November, a security vulnerability was found in the Welcart e-Commerce plugin opens up websites to code injection. This can lead to payment skimmers being installed, crashing of the site or information retrieval via SQL injection, researchers said.

In October, two high-severity vulnerabilities were disclosed in Post Grid, a WordPress plugin with more than 60,000 installations, which opened the door to site takeovers. And in September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.

Earlier, in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.

And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Allie Mellen, a security strategist in the Office of the CSO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Suggested articles