• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress Vulnerability Detail

0day Vulnerability in Easy WP SMTP Affects Thousands of Sites

March 21, 2019Marc-Alexandre Montpas

Exploitation Level: Very Easy / Remote

DREAD Score: 9.4

Vulnerability: Arbitrary Option Update

Patched Version: 1.3.9.1

154
SHARES
FacebookTwitterSubscribe

The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.

The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites.

Technical Details

Vulnerable hook abused
The unprotected admin_init hook that is being abused

The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context. We’ve seen similar mistakes being made in plugins as far back as 2014.

As discussed by the original reporters of this issue, this hooked function handles a variety of administrative features. One of them, an import/export mechanism, enables an attacker to import files containing a list of options to update in the site’s database.

While this serialized content could be used to perform a PHP Object Injection attack, bad actors have found it a lot easier to simply update some WordPress options to give any users administrative privileges. The same technique can also be used to enable user registration when they otherwise wouldn’t be able to.

Some of the options used include the default_role, users_can_register and wp_user_roles, which are stored in the wp_options table.

Attacks In The Wild

We are seeing malicious requests being used in the wild. While most of them target /wp-admin/admin-post.php, other endpoints in the /wp-admin/ directory can be used to trigger the admin_init hook and exploit the vulnerability.

In Conclusion

The urgency of this particular vulnerability is defined by the associated DREAD score, which looks at damage, reproducibility, exploitability, affected users, and discoverability.

Unauthenticated attacks are very serious as they can be automated — this makes it easy for hackers to mount successful, widespread attacks against vulnerable websites. Once a bad actor has gained access to sensitive environments without supplying valid credentials, they can act as a trusted user and completely take control of a website.

The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

If you are using version 1.3.9 of this plugin, we strongly recommend that you update it to version 1.3.9.1 as soon as possible.

In the event that you can’t update the plugin, you can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

154
SHARES
FacebookTwitterSubscribe

Categories: Vulnerability Disclosure, WordPress SecurityTags: Black Hat Tactics, Hacked Websites, WordPress Plugins and Themes

About Marc-Alexandre Montpas

Marc-Alexandre Montpas is Sucuri’s Senior Security Analyst who joined the company in 2014. Marc’s main responsibilities include reversing security patches and scavenging vulnerabilities, old and new. His professional experience covers eight years of finding bugs in open-source software. When Marc isn’t breaking things, you might find him participating in a hacking CTF competition. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

How to Clean a Hacked Website Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.