0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

  • March 21, 2019
WordPress Vulnerability Detail

Exploitation Level: Very Easy / Remote

DREAD Score: 9.4

Vulnerability: Arbitrary Option Update

Patched Version: 1.3.9.1

The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.

The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites.

Technical Details

Vulnerable hook abused
The unprotected admin_init hook that is being abused

The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context. We’ve seen similar mistakes being made in plugins as far back as 2014.

As discussed by the original reporters of this issue, this hooked function handles a variety of administrative features. One of them, an import/export mechanism, enables an attacker to import files containing a list of options to update in the site’s database.

While this serialized content could be used to perform a PHP Object Injection attack, bad actors have found it a lot easier to simply update some WordPress options to give any users administrative privileges. The same technique can also be used to enable user registration when they otherwise wouldn’t be able to.

Some of the options used include the default_role, users_can_register and wp_user_roles, which are stored in the wp_options table.

Attacks In The Wild

We are seeing malicious requests being used in the wild. While most of them target /wp-admin/admin-post.php, other endpoints in the /wp-admin/ directory can be used to trigger the admin_init hook and exploit the vulnerability.

In Conclusion

The urgency of this particular vulnerability is defined by the associated DREAD score, which looks at damage, reproducibility, exploitability, affected users, and discoverability.

Unauthenticated attacks are very serious as they can be automated — this makes it easy for hackers to mount successful, widespread attacks against vulnerable websites. Once a bad actor has gained access to sensitive environments without supplying valid credentials, they can act as a trusted user and completely take control of a website.

The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

If you are using version 1.3.9 of this plugin, we strongly recommend that you update it to version 1.3.9.1 as soon as possible.

In the event that you can’t update the plugin, you can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like