Popular WordPress plugin Easy WP SMTP plugin, with over 500,000 active installations, just patched a vulnerability that allows an attacker to take control of a site. The flaw in the WordPress plugin allows hackers to reset the admin password and take complete control of a website.
Easy WP SMTP Vulnerability
The vulnerability is in a debug log file that is exposed because of a very basic error in how the plugin maintained a folder. Plugin folders on a server that contain files that are not meant to be seen by users usually contain a blank index.html file. The purpose of that file is to keep someone from navigating to that folder and discovering a list of files within that folder.
If someone can see the list of files, then they can potentially access those files, which is the case.
The folder where the debug log file exists does not have an index.html file. So on servers where directory index listings are not disabled by default a malicious hacker can gain access to that file.
What they first do is obtain an admin level user name from the WordPress site they are trying to hack using widely known methods.
Then they access the WordPress login page and send a password reset for the admin account.
Finally they access the debug log file and retrieve a record of the password reset link that the WordPress site sent. Once they retrieve that link they can enter it, reset the password and then enjoy full access to the WordPress site.
Folder Problem Documented in Changelog
The Easy WP SMTP Vulnerability plugin maintains what is called a changelog that documents all the changes within each update. The changelog is meant to be read so that a user can understand what an update is changing.
Normally when a vulnerability is being patched the plugin developers will note that a vulnerability is being patched. This gives the WordPress publisher the information they need to make an informed decision as to whether or not to update a plugin or wait.
A changelog that informs a publisher that an update is plugging a vulnerability allows that publisher to make an informed decision to update the plugin in order to avoid getting hacked.
The Easy WP SMTP plugin changelog only says that they are inserting an index.html file in a folder to prevent anyone from browsing it. That should be warning enough that this is an important update, but only if the publisher understands that peeking into the folder is dangerous.
Update Plugin Immediately
Full details and description of this vulnerability is available at the NinTechNet blog.
It is highly recommended that all users of the Easy WP SMTP plugin update to a version that is higher than version 1.4.2.