Update now! WordPress hackers target Easy WP SMTP plugin – Naked Security

Two hacking groups have been spotted targeting websites running unpatched versions of the WordPress plugin Easy WP SMTP.

Easy WP for SMTP, which has more than 300,000 installs, is marketed as a plugin that lets WordPress sites route their bulk emails via a reputable SMTP server as a way of ensuring they aren’t spamholed by suspicious email providers.

Unfortunately, version 1.3.9 is vulnerable to a security flaw that allows attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious redirects.

According to WordPress firewall developer Defiant (formerly WordFence), the problem lies with the Import/Export functionality added to 1.3.9:

The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

This does not check the user capability, which means any logged-in user, including a subscriber, could trigger it.

It’s not clear from the plugin changelog how long 1.3.9 has been in use but a second firewall company, Ninja Technologies, said it first picked up attacks exploiting the weakness “since at least March 15.”

One campaign appears to be exploiting the vulnerability to grab admin privileges, while a second the second sends visitors to malicious sites before…

Injecting malicious <script> tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.


Please enter your comment!
Please enter your name here