The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.
The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites. The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context.
As discussed by the original reporters of this issue, this hooked function handles a variety of administrative features. One of them, an import/export mechanism, enables an attacker to import files containing a list of options to update in the site’s database.
In Conclusion
Unauthenticated attacks are very serious as they can be automated — this makes it easy for hackers to mount successful, widespread attacks against vulnerable websites. Once a bad actor has gained access to sensitive environments without supplying valid credentials, they can act as a trusted user and completely take control of a website.
The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.
If you are using version 1.3.9 of the Easy WP SMTP plugin, we strongly recommend that you update it to version 1.3.9.1 as soon as possible.
O’Brien Media website support and maintenance customers
O’Brien Media customers who have website support or website maintenance plans will already have had their websites updated to patch this vulnerability. If you’re interested in website support or website maintenance packages for your website just get in touch, or call 01793 239239.