Posted on Leave a comment

Easy WP SMTP Plugin Zero-Day Vulnerability Found

Easy WP SMTP Exploit files

500,000+ Websites

Have this plugin currently installed and is currently being exploited by threat actors. 

The WordPress Easy WP SMTP plugin, which has 500,000+ active installations, fixed a zero-day vulnerability affecting version 1.4.2 and below that could allow an unauthenticated user to reset the admin password among other issues.

The Easy WP SMTP plugin has an optional debug log where it writes all email messages (headers and body) sent by the blog. It is located inside the plugin’s installation folder, “/wp-content/plugins/easy-wp-smtp/”. The log is a text file with a random name, e.g., 5fcdb91308506_debug_log.txt. The plugin’s folder doesn’t have any index.html file, hence on servers that have directory listing enabled, hackers can find and view the log:

easy wp smtp explaoit

Then, they perform the usual username enumeration scans to find the admin login name, for instance via the REST API:

Once they find the admin name all they need to do is request a password reset on the login screen and grab that email with the link to enter the new password. Boom they are in with Admin privileges.

A huge shoutout to The Ninja Technologies Network over at NinTechNet for finding this and notifying the developers to fix it before releasing the information.

WordPress Admin Password Reset
Posted on Leave a comment

Why should I choose a team to help with my WordPress instead of just a single Dev/Designer?

In today’s landscape, your Developer or Designer needs to have more behind them just themselves. In today’s world the landscape of Hosting, Web Application Optimizations, Security, and Everything else that goes along with a website is ever-changing roles. So much so that one person has to work over drive to keep up. Believe me when I say I am speaking from experience. You simply need a team to help manage it all.

With how fast Vulnerabilities have hit the web and the ever-changing roles of security are enough to keep someone busy full time. Take a look at THIS and just look at how many ways WordPress can be broken and all of the plugins you have to pay attention too. Do you think the 500K users of Elementor knew right away that version 2.9.10 was an issue? No. It took teams of people to know that and figure that out. It took even more knowledge and know-how to figure out if the version that replaced this one will work with all of your other plugins without issues. Then add in all of the research that goes with that. Now we are talking about some serious amounts of time!

Why not just hire a team that deals in WordPress as if it was in our DNA? Hire Help 4 WordPress and replace all of the different things you need to have just to get your WordPress going and keep it going.

The Help 4 Network maintains a network of Ethical Hackers to ensure we stay on top of all of the news. Our team is also doing nothing but web technology all day long even if they work another job it still pertains to what we do here. Making our team the 24/7 watchdogs you need to make sure your site stays online and active! Our team can boast of time at multiple Fortune 500 Companies and even top-level Security Firms in this industry. When it comes to our Clients and their WordPress install we take ZERO chances and work actively to stay ahead of the things and people who want to see you offline.