Two hacking groups have been spotted targeting websites running unpatched versions of the WordPress plugin Easy WP SMTP.
Easy WP for SMTP, which has more than 300,000 installs, is marketed as a plugin that lets WordPress sites route their bulk emails via a reputable SMTP server as a way of ensuring they aren’t spamholed by suspicious email providers.
Unfortunately, version 1.3.9 is vulnerable to a security flaw that allows attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious redirects.
According to WordPress firewall developer Defiant (formerly WordFence), the problem lies with the Import/Export functionality added to 1.3.9:
The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.
This does not check the user capability, which means any logged-in user, including a subscriber, could trigger it.
It’s not clear from the plugin changelog how long 1.3.9 has been in use but a second firewall company, Ninja Technologies, said it first picked up attacks exploiting the weakness “since at least March 15.”
One campaign appears to be exploiting the vulnerability to grab admin privileges, while a second the second sends visitors to malicious sites before…
Injecting malicious <script> tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.
How widely exploited is this flaw?
The last dozen or so comments on plug-in’s support are from users who claim their sites were targeted. Although these can’t be verified, one of those claimed to have lost “10 client sites in 3 days.”
What to do
What admins do next depends on whether they believe their site has been targeted or not.
Defiant offers a long list of possible indicators of compromise (IoCs) in its blog but if you see none of these then first change the WordPress and SMTP passwords before applying the update to version 220.127.116.11 as an urgent priority.
If you think your site might have been targeted, the recommended action is to first reinstate it from a pre-hack backup before applying the update and changing those passwords.
If no backup is available, the plugin’s developers offer instructions for manually cleaning a site before turning on automatic or scheduled backups as a future defence.
Last week it was users of the Abandoned Cart for WooCommerce plugin who were being urged to update as soon as possible. The moral of these stories is that diligent updating of plugins has become an important part of securing any site.