Zero-Day Vulnerability in WordPress Easy WP SMTP Plugin Fixed

Updated on December 25, 2021

Zero-Day WordPress Plugin Vulnerability

If you are in the process of creating your first website, like others, your first preference will be WordPress, and there is nothing wrong with it. There is a long list of reasons that authenticate why WordPress is one of the most sought-after website platforms across the world. Some of them are – ease of use, preference by search engines, no HTML editing, built-in blog, provision of having multiple users, etc.

The term “zero day” comes from the fact that the vulnerability has yet to be fixed by security professionals.

Important To Note: When you hear about a new Zero Day in WordPress or a theme or plugin, you need to pay careful attention. Immediately check to see if there is a fix available. If left unpatched, it can get your wordpress hacked.

However, on the flip side, as per tech experts, all websites on the internet are vulnerable to hacking attempts, and WordPress websites are no different. Now and then we get to hear about a WordPress website being compromised. Faulty plugins seem to be one of the key reasons responsible for Website hacking.

Some of the leading ones are the GDPR Compliance Plugin, Recent Backups Plugin, WordPress Database Backup Plugin and many more. Critical zero-day vulnerability in WordPress Easy WP SMTP plugin, is the new one to populate the list.

Also Read – WordPress REST API Vulnerability Content Injection Exploit [FIXED]

Protection against WordPress Plugin Zero Day Exploit

While Zero Day vulnerabilities are more serious than known WordPress vulnerabilities, there are various methods one can use to protect against them.

Signature based defense:

This technique uses pattern matching to identify patterns in known vulnerabilities. it can identify known attacks like SQL injection that target products suffering from a Zero Day vulnerability in WordPress. A firewall may be able to protect against the attack because the specific attack type, whether SQL injection, XSS or another type, may be known.

Statistical Defence:

They will then alert if traffic or behaviour deviates from that normal profile. For example, if an email user on a protected network receives a message from someone who has never contacted them in the past, the statistical algorithm might flag the email for further inspection.

Behavioral Defense:

There are various ways to implement this technique, but a common implementation relies on a ‘honeypot’. A honeypot is a machine that is purposely made less secure and is used to detect the presence of hackers when they target that machine with weak security. In this case the honeypot is monitored for any unusual changes.

Hybrid Defence:

These use a combination of statistical, behavioural and traditional signature based algorithms. They are more effective because they avoid weaknesses in any single detection technique.

Also Read – IndoXploit WordPress Hack – What It Is & How To Fix It

WordPress Easy WP SMTP Plugin Vulnerability

Problem –

Version 1.3.9 of the Easy WP SMTP plugin is vulnerable to a security flaw that could allow attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious url redirects.

Affected Versions

WordPress Easy WP SMTP Plugin version 1.3.9

Easy WP SMTP plugin, with 300,000+ active installations, is one of the most popular WordPress plugins. It allows the user to configure and send all outgoing emails via SMTP server. This further averts the emails from going to the recipients’ junk/spam folder.

Of late, the plugin was prone to a zero-day vulnerability. As per this, the hacker gains access to make changes to WordPress options or to execute code among other unethical actions. This Zero-Day WordPress Plugin Vulnerability is found in version 1.3.9.

As and when a user accesses the admin area, above admin_init()function, from the easy-wp-smtp.php script is run through admin_init hook. This is put into use to update options, view/delete the log, and import/export the plugin configuration in the WordPress database. The disadvantage here is that there is no inspection being done of the capability of the user; therefore any logged in user, for instance, a subscriber, can easily trigger it.

But it can also be authenticated by the hackers as Easy WP SMTP uses AJAX and the admin_init hook functions on admin-ajax.php.

Note – It is not mandatory that it will run on user-facing admin screens, but it runs on admin-post.php and admin-adjax.php as well.

Therefore, a hacker will effortlessly send an AJAX request, for instance, action=swpsmtp_clear_log. This will activate the , and he will execute its code.

Also Read – WordPress GDPR Compliance Plugin Exploit Vulnerability

Insufficient Access Controls In Import/Export Feature

The root of the vulnerability is in the Import/Export functionality which was added to Easy WP SMTP in version 1.3.9. The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

When this hook fires, the plugin checks for the existence of the POST parameter swpsmtp_import_settings. If this parameter is set to 1, it assumes that an import is taking place and checks for a file upload as swpsmtp_import_settings_file. The contents of the uploaded file are unserialized, and update_option is run on each given key/value pair.

In this example, swpsmtp_import_settings will be used to upload a file containing a malicious serialized payload. This will facilitate registration of the users (users_can_register) and set the default role (default_role) to administrator in the database.

Create a file name “/tmp/upload.txt” with the following content –

a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}

Upload the file –

$ curl https://VICTIM.COM/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt'

In addition, there are other vulnerabilities which could be exploited, such as –

The plugin configuration, comprising of the username & password, SMTP host, could also be exported and used for sending spam emails.
Remote Code Execution through PHP Object Injection since Easy WP SMTP uses unsafe unserialize() calls.
Deleting/viewing the log or any file name (considering the fact that the hackers can easily make changes to the log filename).

Interestingly, the attempts were caught by our firewall. We analyzed and found that the hackers made their best efforts to exploit the vulnerability to make changes to the content of WordPress wp_user_roles option in the database and to give administrator capabilities to all the users.

Creating an admin account is easily noticeable in the WP users section, whereas changing capabilities is not easily noticeable. This means, a typical subscriber will appear as a subscriber but can easily carry out all the things an admin is supposed to do.

Also Read – How To Change Default WordPress Username?

How Does WordPress zero day exploit Controls Vulnerable Websites?

We have been tracking various activities, associated with the vulnerability, from two different hackers. As per our extended observation, the attacks were made identically with the help of Proof of Concept (PoC) exploit discussed above.

These attacks are pretty much the same as PoC, down to the checksum, and facilitates the users to register administrator accounts by altering default_role to the administrator, and also to enable users_can_register.

This is the point from where the campaigns deviate. After this point, the actions of the first hacker tend to stop. This suggests that this particular stage was only an automated step of their process and they are just collecting numerous rogue admin to be used in the later stage.

The other campaign persists by making changes to the site url of the victim’s website. Home options are also changed to activate harmful redirects whenever the site is being visited; then all PHP files receive harmful <script> tags on the affected website along with string ‘index’ which is already existing in their name.

This tends to affect all those files named as index.php. Besides, it also happens to change files like class-link-reindex-post-service.php, which is there in the SEO plugin of Yoast.

Also Read – WordPress Arbitrary File Deletion Vulnerability Exploit ? FIXED

Consequent Steps

It has been found that the attacks against this vulnerability are far-reaching, and the worst part is that the successful exploits by the hackers can provide them full control of the website.

It is advisable that the users should update their plugins regularly so that security patches can be applied for such vulnerabilities.

Easy WP SMTP version 1.3.9.1 tend to prevent unauthorised access to the import script and also curb affected options to include anticipated values only.

As a WordPress user, if you think that your website has been compromised because of this vulnerability or any other, you can reach us for site cleaning. Or else, you can have a lookout on all the below-mentioned indicators of compromise (IOCs) –

Logged traffic from the following IPs –

86.109.170.200
185.212.131.46
185.212.128.22
185.212.131.45

Harmful <script> tags injected into the first line of index.php files. For instance – <script type=’text/javascript’ async src=’hXXps://setforspecialdomain[.]com/in2herg42t2?type=in2&frm=scr&’></script>

Presence of administrator accounts for unknown users. For instance –

larryking99
devidpentesting99 (ASK TO CHANGE THE NAMES)

Also Read – 33 Best Free WordPress Security Plugins in 2019 [Updated List]

How To Fix WordPress Zero Day Plugin Vulnerability?

There are a plethora of methods using which a thorough check of the website can be done. In the event, your website is being hacked with a harmful script; it is advisable to take a complete backup of the website.

In the process of removing the malware from the WordPress website, in case you commit a mistake, the backup will act as your savior. Once you have taken a backup of your website, you are good to go with the website scan using WordPress Malware Scanner.

Locate The Malicious Code

To locate the malicious code on your website, there are various places you can look for. It is practically not feasible to scan the code on each page of the website. In all probability, the hacker may be inside your server. And there might be some places where you require ftp/ftps login details to gain access to all these places to kick off the malware cleaning process.

If you find that the website is redirecting to some anonymous website, then it pays to look for suspicious code in the below-mentioned areas –

Make sure you check both index.html and index.php.
Do check .htaccess file.

In case, your website is asking your users for downloads; you must look at the following places –

Index file of the website
Header.php
Theme’s files.
Footer.php

Use Googlebot Simulator

Make sure you run tests, every so often, to ensure that your website is safe from malware or harmful code. This can be done by using any test to falsify you are a user agent or a Googlebot while taking assistance from a Googlebot simulator. Besides, you can also use Fetch As Google from the webmaster console of your website. You also have the convenience of commands that work through SSH client.

Important: Fetch As Google tool won’t be available after Mar 28, 2019. Please use the new URL Inspection tool instead.

By making use of specific codes, you can have access to the place where the hacking has taken place and further remove the WordPress malware manually.

Remove Bad Code/Malware

Removing the malicious scripts, that leads to website redirection to the malicious websites, will only benefit you. By using together, remove URLs feature, and by visiting Search Engine Console of Google, it is much easier to remove the malicious code with the new pages from SERPs.

Besides, you should also update the themes and plugins; this will ensure that you have installed the latest and new core theme. You should also change or reset the passwords.

Also Read –

Use Search Console to Submit Malware Consideration Request

Google Webmaster Tool is one of the beneficial tools for webmaster, and the best part is you don’t have to pay anything for it. Submit your website in GWT to gain vital information about your website. Here is the step by step guide to put malware review request with the help of Google Webmaster Tool –

First, you need to Log in to Google search console.
Second, you need to verify ownership of your website.
Third, you need to click on the website > then Dashboard > and then Security Issue.

This is where you will be shown a list of URLs which Google thinks is infected with malware. Once all your websites are malware free, you need to click on request a review. When you have done this, you can add notes in the form of actions you have adopted in the pursuit of removing the malware.

Use Search Console to Submit Malware Consideration Request Note:

An SMTP response code is just a simple way for servers to communicate with each other.When your email program makes a request, the receiving mail server will return a code that indicates the status of the message. An SMTP response code list can be used to help quickly determine why an email bounced, or why you’re receiving an SMTP error when sending an email. It can be used for testing purposes and SMTP monitoring. Here you can find the list of All SMTP Commands and Response Codes.

What’s Happening Now

We have done in-depth research of this plugin, and the results are quite shocking. As per the WordPress plugin archive, there are over 300,000 active installations at the moment. Besides, the same page also offers data about downloads every single day.

If we look closely at the last peak on the graph, it makes us acquainted with the results for March 18, 2019. And now the scary part –

Downloads today – 16,290
Downloads yesterday – 17,931
Downloads for last 7 days – 96,121

UPDATE: Another zero-day exploited by hackers to take over WordPress sites. This second zero-day impacts the Social Warfare plugin, WordPress team had temporarily removed it from the main WordPress Plugins repository .[Ref.1, Ref.2, Ref.3]

We want to say that there is still more than 300,000 websites with this plugin and download counter makes us acquainted with the fact that there are over 200,000 websites still vulnerable.

It pays to know that even the most vigilant website owner can be caught unaware and left open to attack. If you don’t have the time or lack the proficiency to manage this vulnerability, you can seek professional services of WP hacked help.