How attackers exploit the WordPress Easy-WP-SMTP zero-day


On November 6th, 2019, Detectify added security tests for 50+ of the most popular WordPress plugins, including Easy-WP-SMTP. Although the zero-day affecting Easy-WP-SMTP (CVE-2020-35234) was recently patched, WordPress estimates that many of the 500,000+ active installs of the plugin remain unpatched. Detectify scans your applications for this vulnerability and alerts you if you are running a vulnerable version of WordPress and WordPress plugins.

What can happen if I’m vulnerable?

The issue involves a Sensitive Data Exposure vulnerability (CVE-2020-35234) that allows attackers to take over your WordPress Administrator account by finding and resetting the Administrator password in improperly secured log files. Because the folder where log files are stored do not have an index file, if directory listing is enabled on the web server, then an attacker could:

  1. access the log file containing all sent emails,
  2. view and click the password reset link in the log file,
  3. perform a password reset,
  4. login as an admin, and
  5. achieve Remote Code Execution (RCE) by modifying themes with arbitrary PHP-code and/or install malicious plugins.

Who is affected by this vulnerability?

Unpatched WordPress Easy WP SMTP installs version 1.4.2 or earlier.

What should I do if I see this finding in my Detectify report?

Immediately upgrade to Easy-WP-SMTP version 1.4.4.

How does Detectify check for this?

Detectify has been able to detect improperly secured log files for the Easy-WP-SMTP plugin since November 2019. Earlier this month, Detectify updated our in-tool Easy-WP-SMTP Log Disclosure security tests with references and findings text to provide additional information to affected customers.

Detectify detects similar vulnerabilities in the most popular WordPress plugins. We suspect that other plugins may also store sensitive data that can be abused by attackers, so we strongly recommend checking all of your plugins.

More information

Detectify is a continuous web scanner and monitoring service that can be set up for automated scanning for 2000+ known vulnerabilities including the OWASP Top 10 and WordPress plugin vulnerabilities. Start your free 2-week trial today and check for the latest vulnerabilities!



Source link