Hackers Abusing Recently Patched Vulnerability In Easy WP SMTP Plugin

Over the weekend, a vulnerability was disclosed and patched in the popular WordPress plugin Easy WP SMTP. The plugin allows users to configure SMTP connections for outgoing email, and has a userbase of over 300,000 active installs. The vulnerability is only present in version 1.3.9 of the plugin, and all of the plugin’s users should update to 1.3.9.1 as quickly as possible to address the flaw.

This vulnerability is under active attack, being used by malicious actors to establish administrative control of affected sites en masse. We have released a firewall rule which prevents exploitation of the flaw, protecting Wordfence Premium sites which haven’t yet updated the affected plugin. Our free users will gain access to the new rule in thirty days, but they can protect themselves in the meantime by updating their plugins.

In today’s post, we’ll look at the vulnerability, how attackers are abusing it, and what users should do if they believe they’ve been put at risk.

Insufficient Access Controls In Import/Export Feature

The root of the vulnerability is in the Import/Export functionality which was added to Easy WP SMTP in version 1.3.9. The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

$is_import_settings = filter_input( INPUT_POST, 'swpsmtp_import_settings', FILTER_SANITIZE_NUMBER_INT );
if ( $is_import_settings ) {
  $err_msg = __( 'Error occurred during settings import', 'easy-wp-smtp' );
  if ( empty( $_FILES[ 'swpsmtp_import_settings_file' ] ) ) {
      echo $err_msg;
      wp_die();
  }
  $in_raw = file_get_contents( $_FILES[ 'swpsmtp_import_settings_file' ][ 'tmp_name' ] );
  try {
      $in = unserialize( $in_raw );
      if ( empty( $in[ 'data' ] ) ) {
          echo $err_msg;
          wp_die();
      }
      if ( empty( $in[ 'checksum' ] ) ) {
          echo $err_msg;
          wp_die();
      }
      if ( md5( $in[ 'data' ] ) !== $in[ 'checksum' ] ) {
          echo $err_msg;
          wp_die();
      }
      $data = unserialize( $in[ 'data' ] );
      foreach ( $data as $key => $value ) {
          update_option( $key, $value );
      }
      set_transient( 'easy_wp_smtp_settings_import_success', true, 60 * 60 );
      $url = admin_url() . 'options-general.php?page=swpsmtp_settings';
      wp_safe_redirect( $url );
      exit;

When this hook fires, the plugin checks for the existence of the POST parameter swpsmtp_import_settings. If this parameter is set to 1, it assumes that an import is taking place and checks for a file upload as swpsmtp_import_settings_file. The contents of the uploaded file are unserialized, and update_option is run on each given key/value pair.

A number of issues present themselves in this process.

First, and most importantly, no capabilities checks are performed during this process so an attacker does not need any special permissions to exploit this flaw.

Next, instead of running on a dedicated AJAX action, REST endpoint, or dashboard page, the importer looks for an import with every admin_init call. This means the code will run for unauthenticated users, as this call is made even for logged-out sessions. Without this element, an attacker would at least need subscriber-level access to a victim’s site.

Then, unsanitized user input is passed to unserialize(), which inherently creates an object injection vulnerability.

Lastly, any user-provided options are updated, rather than a set of plugin-specific options. This allows an attacker to alter any values in a site’s wp_options table, which is the activity taking place against vulnerable sites at this time.

Exploit Campaigns Taking Over Vulnerable Sites

The Defiant Threat Intelligence team is actively tracking activity from two distinct threat actors associated with this vulnerability.

Both of the campaigns launch their initial attacks identically, by using the proof of concept (PoC) exploit detailed in NinTechNet’s original disclosure of the vulnerability. These attacks match the PoC exactly, down to the checksum, and enable users to register administrator accounts by changing default_role to “administrator”, and enabling users_can_register. Then, the attacker uses these new settings to register an administrator user for themselves.

From here, the campaigns diverge. The first threat actor’s activity stops after this point, suggesting that this stage was the only automated step of their process and they’re just assembling a number of rogue admin accounts for later use.

The other campaign continues by altering the victim site’s siteurl and home options to trigger malicious redirects when the site is visited, then injecting malicious <script> tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.

In these cases, we’ve identified two domains used in the options values and script injections: setforconfigplease[.]com, and getmyfreetraffic[.]com. These domains are followed by an alphanumeric path string, presumably used similar to affiliate tracking codes to identify the source of the newly created traffic. When encountered by a user, the redirecting sites check for and assign cookies to track these users and determine where to redirect them. The most common redirects seen from these sources are tech support scams warning that users’ computers may be affected by the Zeus virus, among others.

Notably, both of these domains resolve to the same host IP address, which also hosts the malicious domains somelandingpage[.]com and setforspecialdomain[.]com, both of which have been seen in similar attack campaigns.

Next Steps

The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers. As always, it’s important for users to regularly update their plugins in order to apply the security patches for vulnerabilities like these. Easy WP SMTP version 1.3.9.1 prevents unauthenticated access to the import script, as well as restricting affected options to only include expected values.

For typical WordPress users, if you believe your site may have been compromised as a result of this or any other vulnerability, consider reaching out to our team for a site cleaning. Otherwise, be on the lookout for the following indicators of compromise (IOCs):

• Logged traffic from the following IPs:
  • 185.212.131.45
  • 185.212.128.22
  • 185.212.131.46
  • 86.109.170.200
• Database siteurl and home values not matching their intended values, especially including the following domains:
  • setforconfigplease[.]com
  • getmyfreetraffic[.]com
• Administrator accounts present for unknown users. For example:
  • devidpentesting99
  • larryking99
• Malicious <script> tags injected into the first line of index.php files. For example:
  • <script type='text/javascript' async src='hXXps://setforspecialdomain[.]com/in2herg42t2?type=in2&frm=scr&'></script>

As this situation shows, the time between the publication of vulnerability details and the first round of attacks can be incredibly short. Even the most fastidious site owners can be caught unaware and left open to attack. A firewall backed by a team focused 100% on WordPress security is must-have insurance for these situations. If your site matters to you, consider upgrading to Wordfence Premium to guard against future vulnerabilities of this nature.