Easy WP SMTP WordPress Plugin Exploited In The Wild
Popular WordPress plugin vulnerable to unauthenticated attacks continues to be targeted despite the availability of a patch.
Background
On March 17, researchers at Ninja Technologies Network (NinTechNet) published a blog about their discovery of a critical zero-day vulnerability in the Easy WP SMTP plugin that attackers began exploiting in the wild on March 15. According to WordPress, the Easy WP SMTP plugin has over 300,000 active installations. The Easy WP SMTP plugin authors released a patched version of the plugin on March 17. However, researchers at Defiant continue to observe attacks in the wild targeting this plugin.
Analisi
The vulnerability exists in version 1.3.9 of the Easy WP SMTP plugin. It was reportedly introduced when the authors added Import/Export functionality to the admin_init function. According to NinTechNet, this function is used to “view/delete the log, import/export the plugin configuration and to update options in the WordPress database.” The issue appears to be that any logged-in user is capable of executing these commands, as the code does not validate their privileges. What makes this more severe is the plugin’s use of AJAX, which is available in the admin_init function and allows unauthenticated users to execute these commands without logging into a vulnerable site.
Proof of concept
NinTechNet provided a proof of concept in its blog post that uploads a file to a vulnerable WordPress site, modifying its settings to allow any user to register on the site and grant administrator permissions to all users. They also mention that this vulnerability could be leveraged to achieve remote code execution.
Solution
The Easy WP SMTP plugin was updated to version 1.3.9.1 on March 17 to address this vulnerability. It is important for site administrators to ensure this plugin is up to date.
Site administrators must regularly review what plugins are running on their sites and whether they are up-to-date. Plugin updates may contain fixes for security issues and failure to update can leave sites vulnerable to compromise.
Identifying affected systems
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
Get more information
- NinTechNet blog post
- Wordfence report on exploitation in the wild
- Easy WP SMTP plugin description page
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Articoli correlati
Cybersecurity Snapshot: Guide Unpacks Event-Logging Best Practices, as FAA Proposes Stronger Cyber Rules for Airplanes
August 23, 2024Looking to sharpen your team’s event logging and threat detection? A new guide offers plenty of best practices. Plus, the FAA wants airplanes to be more resilient to cyberattacks. Meanwhile, check out the critical vulnerabilities Tenable discovered in two Microsoft AI products. And get the latest on ransomware trends, vulnerability management practices and election security!
SSRFing the Web with the Help of Copilot Studio
August 20, 2024Tenable Research discovered a critical information-disclosure vulnerability in Microsoft’s Copilot Studio via a server-side request forgery (SSRF), which allowed researchers access to potentially sensitive information regarding service internals with potential cross-tenant impact.
Cybersecurity Snapshot: First Quantum-resistant Algorithms Ready for Use, While New AI Risks’ Database Is Unveiled
August 16, 2024NIST has released the first encryption algorithms that can protect data against quantum attacks. Plus, MIT launched a new database of AI risks. Meanwhile, the CSA published a paper outlining the unique risks involved in building systems that use LLMs. And get the latest on Q2’s most prevalent malware, the Radar/Dispossessor ransomware gang and CVE severity assessments!