Skip to content
Naked Security Naked Security

Update now! WordPress hackers target Easy WP SMTP plugin

Two hacking groups have been spotted targeting websites running unpatched versions of the WordPress plugin Easy WP SMTP.

Two hacking groups have been spotted targeting websites running unpatched versions of the WordPress plugin Easy WP SMTP.

Easy WP for SMTP, which has more than 300,000 installs, is marketed as a plugin that lets WordPress sites route their bulk emails via a reputable SMTP server as a way of ensuring they aren’t spamholed by suspicious email providers.

Unfortunately, version 1.3.9 is vulnerable to a security flaw that allows attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious redirects.

According to WordPress firewall developer Defiant (formerly WordFence), the problem lies with the Import/Export functionality added to 1.3.9:

The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

This does not check the user capability, which means any logged-in user, including a subscriber, could trigger it.

It’s not clear from the plugin changelog how long 1.3.9 has been in use but a second firewall company, Ninja Technologies, said it first picked up attacks exploiting the weakness “since at least March 15.”

One campaign appears to be exploiting the vulnerability to grab admin privileges, while a second the second sends visitors to malicious sites before…

Injecting malicious <script> tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.

How widely exploited is this flaw?

The last dozen or so comments on plug-in’s support are from users who claim their sites were targeted. Although these can’t be verified, one of those claimed to have lost “10 client sites in 3 days.”

What to do

What admins do next depends on whether they believe their site has been targeted or not.

Defiant offers a long list of possible indicators of compromise (IoCs) in its blog but if you see none of these then first change the WordPress and SMTP passwords before applying the update to version 1.3.9.1 as an urgent priority.

If you think your site might have been targeted, the recommended action is to first reinstate it from a pre-hack backup before applying the update and changing those passwords.

If no backup is available, the plugin’s developers offer instructions for manually cleaning a site before turning on automatic or scheduled backups as a future defence.

Last week it was users of the Abandoned Cart for WooCommerce plugin who were being urged to update as soon as possible. The moral of these stories is that diligent updating of plugins has become an important part of securing any site.

5 Comments

This is old news. If anyone hasn’t already patched, they’ve most likely already been hacked. I was, six days ago, and fixed the same day.

While the vulnerability that was exploited was fixed in 1.3.9.1, that version still contains other vulnerabilities related to the one exploited that haven’t been fixed. [URL redacted]

Here’s something more timely for you. ‘A WordPress plugin, called Social Warfare, was to blame, which contained a “zero day” XSS vulnerability (ie, a previously unknown security vulnerability).

This lead to thousands of websites worldwide being attacked [. . .]’
This happened over the weekend.

We didn’t write that up here but we did post a warning via our Twitter feed:
https://twitter.com/NakedSecurity/status/1109040423006359552

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?