The popular Easy WP SMTP plugin for WordPress, which boasts over 500,000 active installations, recently patched a critical vulnerability that could allow an attacker to take control of a site. This flaw allows hackers to reset the admin password and gain complete control of the website.
Easy WP SMTP Vulnerability
The vulnerability exists in a debug log file that is exposed due to a fundamental error in how the plugin maintains a folder. Typically, plugin folders on a server that contain files not meant for public view have a blank index.html file. This file’s purpose is to prevent users from navigating to the folder and discovering the list of files inside.
If someone can see the list of files, they can potentially access those files. This is precisely what happens in this case.
The folder containing the debug log file lacks an index.html file. Consequently, on servers where directory index listings are not disabled by default, a malicious hacker can access that file.
Here’s how the attack unfolds: the hacker first obtains an admin-level username from the target WordPress site using widely known methods. Then, they visit the WordPress login page and request a password reset for the admin account. Finally, they access the debug log file, retrieve a record of the password reset link that the WordPress site sent, use that link to reset the password, and subsequently gain full access to the site.
Folder Issue Documented in Changelog
The Easy WP SMTP plugin maintains a changelog that documents all changes within each update. Changelogs are meant to be read to understand what an update entails.
Normally, when a vulnerability is being patched, the plugin developers note it, providing WordPress publishers with the necessary information to decide whether to update the plugin. A changelog that indicates a vulnerability fix allows publishers to make an informed decision to update the plugin to avoid potential hacks.
The Easy WP SMTP plugin changelog only mentions that an index.html file is being added to a folder to prevent browsing. While this should be a warning that the update is critical, it only serves those publishers who understand the risks associated with an exposed folder.
Update Plugin Immediately
Detailed information about this vulnerability is available on security-focused blogs.
It is highly recommended that all users of the Easy WP SMTP plugin update to a version higher than 1.4.2 to secure their sites against this vulnerability.
