This article originally appeared in Infosecurity Magazine on March 22, 2019.
A WordPress zero-day in the Easy WP SMTP plugin is actively being exploited in the wild, according to NinTechNet.
The plug-in allows site owners using WordPress to both configure and send outgoing emails through an SMTP server, preventing messages from landing in the recipient’s junk folder. By exploiting what is categorized as a critical vulnerability, hackers reportedly gained administrative access and were able to alter content on WordPress websites.
In the proof-of-concept (PoC), NinTechNet researcher Jerome Bruandet said he used “swpsmtp_import_settings to upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to ‘administrator’ in the database.”
With the largest market share among all content management systems (CMSs), WordPress is used by one-third of all websites, according to Web Technology Surveys (w3techs).
“Because of its sheer dominance in the CMS space along with the presence of many WordPress plugins, WordPress sites are a ripe target for cyber-criminals. In this case, the Easy WP SMTP plugin has over 300,000 active installations and despite the availability of a patch for it, there are reports that attackers continue to target sites running the vulnerable plugin,” said Satnam Narang, senior research engineer at Tenable.
“The vulnerability exists in version 1.3.9 of the plugin, so users running older versions of the plugin are not vulnerable. However, all users, especially those using 1.3.9, should update to the latest version of the plugin, 1.3.9.1, as soon as possible.”
This latest exploit also evidences the importance of vetting plugins to ensure they are up to date and executing only authorized tasks, according to Brandon Chen, digital security and operations manager of The Media Trust.
“Removing them when they’re no longer needed [is] part of protecting users from identity and financial theft. Each plugin represents at least a few attack surfaces, because the code that enables the plugin to function is coming from at least one vendor, who is likely bringing in outsourced code. Every plugin you introduce into your digital environment introduces third parties you may or may not know – and chances are, you don’t know most of them.”
