This week a severe WordPress vulnerability was patched by the authors of Easy WP SMTP WordPress Plugin. Easy WP SMTP allows users to send outgoing emails through the SMTP server in an attempt to keep their emails from going directly to spam or junk mail. This vulnerability allows cybercriminals to gain unauthenticated access to sites using this plugin. With over 300,000 active installations, thousands of users are affected by this zero-day vulnerability in version 1.3.9.
Users are urged to update their WordPress plugin to the latest version 220.127.116.11 immediately! This update will help avoid the possibility of an unauthenticated user hijacking and modifying their WordPress site. Because of this vulnerability, no user capability checks are being performed, meaning no special permissions are needed to gain full access to a user’s site.
An import/export mechanism allows an attacker to import files that include a list of options to alter within the wp-options database. Serialized content could be used for PHP object injection attacks, however, it is easier for an attacker to update the wp-options table. Some of these options include updating default roles, user roles, and registered users (subscribers).
It is recommended users immediately do the following:
- Update you from version 1.3.9 to version 18.104.22.168
- Update your WordPress admin password
- Update your SMTP password
- Use a WordPress vulnerability scan for your database and files
It is important users follow proper website security tips, such as updating their plugins, themes, and WordPress core files immediately following a security update. Sites secured with SiteLock INFINITY will have automated daily WordPress vulnerability scans, core CMS security patching, and database protection. Protect your site today, contact SiteLock and ask about INFINITY. We’re available 24/7 via phone, live chat, or email to help.