Zero-day vulnerability in WordPress plugin affects more than 500,000 websites

In a recently detected campaign, a hacker group has been resetting administrator passwords on WordPress sites by exploiting a critical zero-day vulnerability in Easy WP SMTP, a plugin with over 500,000 active installations. The flaw was corrected this Monday.

This tool allows website administrators to modify SMTP settings for outgoing emails from their users’ platforms.

According to the report, version 1.4.2 and earlier of the plugin contain a function to create debug logs of emails sent from the user’s website. Because the plugin folder does not contain any index.html files, servers have directory list enabled; in turn, threat actors could find these records with ease.

La imagen tiene un atributo ALT vacío; su nombre de archivo es wp1412202001.jpg

Cybercriminals who managed to exploit this flaw in vulnerable sites have been deploying automated attacks to identify administrator accounts and force a password reset. All attackers have to do is access the debug log after resetting the password, taking the reset link and taking control of the target website.

La imagen tiene un atributo ALT vacío; su nombre de archivo es wp1412202002.jpg

The developers fixed this flaw by simply moving the plugin debug log to the WordPress logs folder to ensure its protection. This is the second time a zero-day vulnerability has been detected in this plugin; in March 2019, a group of researchers discovered that unidentified threat actors were exploiting a flaw in Easy WP SMTP to enable user registration and create administrator accounts as a backdoor.

Fortunately, it’s not all bad news. Unlike the 2019 landscape, the current version of the CMS features a built-in auto-update feature for themes and add-ons. Added in August 2020, with the release of WordPress 5.5, if enabled, this feature will allow plugins to always run in the latest available version without having to update them manually.