500,000+ Websites
Have this plugin currently installed and is currently being exploited by threat actors.
The WordPress Easy WP SMTP plugin, which has 500,000+ active installations, fixed a zero-day vulnerability affecting version 1.4.2 and below that could allow an unauthenticated user to reset the admin password among other issues.
The Easy WP SMTP plugin has an optional debug log where it writes all email messages (headers and body) sent by the blog. It is located inside the plugin’s installation folder, “/wp-content/plugins/easy-wp-smtp/”. The log is a text file with a random name, e.g., 5fcdb91308506_debug_log.txt. The plugin’s folder doesn’t have any index.html file, hence on servers that have directory listing enabled, hackers can find and view the log:
Then, they perform the usual username enumeration scans to find the admin login name, for instance via the REST API:
Once they find the admin name all they need to do is request a password reset on the login screen and grab that email with the link to enter the new password. Boom they are in with Admin privileges.
A huge shoutout to The Ninja Technologies Network over at NinTechNet for finding this and notifying the developers to fix it before releasing the information.