A comprehensive database for everything WordPress related.

TOP
WPKlik Logo Newsletter

Sign up and receive a free copy of How to Create an online Store with WooCommerce (full guide)

Vulnerability Discovered in v1.3.9 of Easy WP SMTP Plugin

Vulnerability Discovered in v1.3.9 of Easy WP SMTP Plugin

On March 15, NinTechNet reported a zero-day vulnerability in version 1.3.9 of the Easy WP SMTP plugin. The vulnerability lets hackers gain admin access to affected WordPress websites. Luckily, the plugin’s developers reacted instantaneously. On March 17, they released a new version of the plugin, with the vulnerability successfully patched.

If you are among the 300,000+ users of Easy WP SMTP, you should make sure to update your plugin to this latest version (v1.3.9.1) as soon as possible.

Details

The vulnerability is located in the new import/export functionality added in v1.3.9 of Easy WP SMTP. It lets attackers exploit the lack of a capability check in the plugin’s admin_init hook to alter any values in the wp_options table. Additionally, since the admin_init hook also executes in admin-ajax.php, the vulnerability can even be exploited by unauthenticated users. Therefore, anyone with the sufficient know-how can easily modify the wp_user_roles field to set all user roles to “administrator”. Clearly, this is a huge issue. You can read an in-depth breakdown of how hackers are exploiting the vulnerability on the Wordfence blog or in this post by NinTechNet.

Recommended Actions

As I already mentioned, if you have Easy WP SMTP installed on your WordPress website, you should immediately update the plugin to version 1.3.9.1. But if you suspect your website is already affected by this vulnerability, you can also take the following precautions:

  • Install a security plugin and execute a file scan.
  • Change all your passwords.
  • Navigate to the “Users” page of your WordPress admin panel to check for any new or unusual accounts (and remove them).
  • Also check for suspicious changes in your WordPress general settings (Settings >> General).

We hope this article was helpful. If you liked it, feel free to check out some of these articles as well!

Newsletter

WordPress perfection at your fingertips.

If you enjoyed this article, feel free to subscribe to our newsletter using the form below. You can also follow us on Facebook and Twitter and subscribe to our YouTube channel for WordPress video tutorials.

Leave a Reply