Malicious actors are abusing a zero-day flaw in the popular Easy WP SMTP plugin for WordPress installed on more than 500,000 sites in order to reset admin passwords and install rogue plugins.
The vulnerability is an improper access issue that exists due to improper access restrictions. A remote attacker can access the debug log after the password reset, grab the reset link and take over the admin account. The flaw affects Easy WP SMTP v1.4.2 and earlier. While a patch addressing this issue was released last week many sites using the plugin are still remain vulnerable.
According to NinTechNet, the problem lies in a feature in Easy WP SMTP that writes debug logs for all emails sent by the site and stores them in its installation folder.
“The plugin’s folder doesn’t have any index.html file, hence on servers that have directory listing enabled, hackers can find and view the log,” the researchers explain.
Once attackers have found the log, they perform the usual username enumeration scans to find the admin login name. They then access the login page and ask for the reset of the admin password and copy the reset link sent by WordPress from the Easy WP SMTP debug log. Using this link hackers reset admin password on the site and access the admin dashboard. Once it is done, attackers install additional plugins on the hacked site.