The WordPress Easy WP SMTP plugin, which has 500,000+ active installations, fixed a zero-day vulnerability affecting version 1.4.2 and below that could allow an unauthenticated user to reset the admin password among other issues.

According to the team at Ninja Technologies Network (NinTechNet), Easy WP SMTP 1.4.2 and older versions of the plugin contain a feature that creates debug logs for all emails sent by the site, which it then stores in its installation folder.

“The plugin’s folder doesn’t have any index.html file, hence, on servers that have directory listing enabled, hackers can find and view the log,” said NinTechNet’s Jerome Bruandet

Then, they perform the usual username enumeration scans to find the admin login name, for instance via the REST API:

Hackers can also perform the same task using author achive scans (/?author=1).
They access the login page and ask for the reset of the admin password:

Buy Me A Coffee

Then, they access the Easy WP SMTP debug log again in order to copy the reset link sent by WordPress:

With that link, they reset the admin password:

They log in to the admin dashboard and, on all WordPress hacked sites we saw, they immediately install rogue plugins on the blog.

Recommendations

Update immediately if you have version 1.4.2 or below installed.Consider disabling the debug log, as it could leak sensitive information (messages, passwords etc).

READ
Chinese Hackers Breach Over 20,000 FortiGate Systems Worldwide in Extensive Cyber Espionage Campaign