Easy WP SMTP, a WordPress plugin, with more than 500,000 installations, allows one to configure and send all outgoing mails via a SMTP server, the major benefit of which is that the mails do not end up in the recipient’s junk/spam folder.
The team managing this plugin had fixed a zero-day vulnerability affecting versions 1.4.2 (current version 1.4.4) and lower that would allow an unauthenticated user to reset the admin password which would enable the hacker to take complete control of the website.
The vulnerability is in a debug file that is exposed because of a fundamental error in how the plugin maintained a folder.
The Easy WP SMTP plugin has an optional debug log where it writes all email messages (headers and body) sent by the blog. It is located inside the plugin’s installation folder, “/wp-content/plugins/easy-wp-smtp/”.
The log is a text file with a random name, e.g., 5fcdb91308506_debug_log.txt. The plugin’s folder doesn’t have any index.html file, hence on servers that have directory listing enabled, hackers can find and view the log:
Once this is done, the username enumeration scan is performed to find the admin login.
Hackers can also perform the same task using the author achieve scans (/?author=1).They access the login page and ask for the reset of the admin password:
Then, they access the Easy WP SMTP debug log again in order to copy the reset link sent by WordPress:
Once the link is received, they reset the admin password:
Once they had logged in to the admin dashboard, rogue plugins were installed.
It is highly recommended and advised that all users immediately update this plugin.