Exploitation Level: Very Easy / Remote
DREAD Score: 9.4
Vulnerability: Arbitrary Option Update
Patched Version: 18.104.22.168
The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.
The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites.
The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context. We’ve seen similar mistakes being made in plugins as far back as 2014.
As discussed by the original reporters of this issue, this hooked function handles a variety of administrative features. One of them, an import/export mechanism, enables an attacker to import files containing a list of options to update in the site’s database.
While this serialized content could be used to perform a PHP Object Injection attack, bad actors have found it a lot easier to simply update some WordPress options to give any users administrative privileges. The same technique can also be used to enable user registration when they otherwise wouldn’t be able to.
Some of the options used include the default_role, users_can_register and wp_user_roles, which are stored in the wp_options table.
Attacks In The Wild
We are seeing malicious requests being used in the wild. While most of them target /wp-admin/admin-post.php, other endpoints in the /wp-admin/ directory can be used to trigger the admin_init hook and exploit the vulnerability.
The urgency of this particular vulnerability is defined by the associated DREAD score, which looks at damage, reproducibility, exploitability, affected users, and discoverability.
Unauthenticated attacks are very serious as they can be automated — this makes it easy for hackers to mount successful, widespread attacks against vulnerable websites. Once a bad actor has gained access to sensitive environments without supplying valid credentials, they can act as a trusted user and completely take control of a website.
The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.
If you are using version 1.3.9 of this plugin, we strongly recommend that you update it to version 22.214.171.124 as soon as possible.
In the event that you can’t update the plugin, you can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.