|Over the weekend, a vulnerability was disclosed and patched in the popular WordPress plugin Easy WP SMTP. The plugin allows users to configure SMTP connections for outgoing email and has a user base of over 300,000 active installs. The vulnerability is only present in version 1.3.9 of the plugin, and all of the plugin’s users should update to 126.96.36.199 as quickly as possible to address the flaw.|
This vulnerability is under active attack, being used by malicious actors to establish administrative control of affected sites en masse. We have released a firewall rule which prevents exploitation of the flaw, protecting Wordfence Premium sites which haven’t yet updated the affected plugin. Our free users will gain access to the new rule in thirty days, but they can protect themselves in the meantime by updating their plugins.
In today’s post, we’ll look at the vulnerability, how attackers are abusing it, and what users should do if they believe they’ve been put at risk.
Insufficient Access Controls In Import/Export Feature
The root of the vulnerability is in the Import/Export functionality which was added to Easy WP SMTP in version 1.3.9. The new code resides in the plugin ’s hook
When this hook fires, the plugin checks for the existence of the POST
A number of issues present themselves in this process.
First, and most importantly, no capabilities checks are performed during this process so an attacker does not need any special permissions to exploit this flaw.
Next, instead of running on a dedicated AJAX action, REST endpoint, or dashboard page, the importer looks for an import with every call
Then, unsanitized user input is passed
Lastly, any user-provided options are updated, rather than a set of plugin-specific options. This allows an attacker to alter any values in a site ’s table
Exploit Campaigns Taking Over Vulnerable Sites
The Defiant Threat Intelligence team is actively tracking activity from two distinct threat actors associated with this vulnerability.
Both of the campaigns launch their initial attacks identically, by using the proof of concept (PoC) exploit detailed in NinTechNet’s original disclosure of the vulnerability. These attacks match the PoC exactly, down to the checksum, and enable users to register administrator accounts by changing to
From here, the campaigns diverge. The first threat actor’s activity stops after this point, suggesting that this stage was the only automated step of their process and they’re just assembling a number of rogue admin accounts for later use.
The other campaign continues by altering the victim site ’s and
In these cases, we’ve identified two domains used in the options values and script injections:
Notably, both of these domains resolve to the same host IP address, which also hosts the malicious domains and
The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers. As always, it’s important for users to regularly update their plugins in order to apply the security patches for vulnerabilities like these. Easy WP SMTP version 188.8.131.52 prevents unauthenticated access to the import script, as well as restricting affected options to only include expected values.
For typical WordPress users, if you believe your site may have been compromised as a result of this or any other vulnerability, consider reaching out to our team for a site cleaning.
Otherwise, be on the lookout for the following indicators of compromise (IOCs):
Logged traffic from the following IPs:184.108.40.206
Administrator accounts present for unknown users. For example devidpentesting99
As this situation shows, the time between the publication of vulnerability details and the first round of attacks can be incredibly short. Even the most fastidious site owners can be caught unaware and left open to attack. A firewall backed by a team focused 100% on WordPress security is must-have insurance for these situations. If your site matters to you, consider upgrading to Wordfence Premium to guard against future vulnerabilities of this nature.