Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import



Description
The changelog for easy-wp-smtp detailed that they "fixed potential vulnerability in import\export settings." in 1.3.9.1 of the plugin (SVN changeset 2052058). This was released on 17th March 2019.

It appears that an unauthenticated user can import arbitrary wp_options by providing a PHP serialized array in $_POST['swpsmtp_import_settings']. This can be used to permit new user registrations and default their permissions to 'administrator'.

The vulnerability and fixes are detailed in the plugin SVN changelog: https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=

This appears to be being exploited in the wild at this time.

It is noted that the changelog of the plugin does not explain the severity of the vulnerability and refers to it merely as "potential".

Affects Plugin

fixed in version 1.3.9.1

References

URL https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=
URL https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/
URL https://wordpress.org/support/topic/vulnerability-26/

Classification

Type AUTHBYPASS
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-287

Miscellaneous

Original Researcher JEROME BRUANDET (NinTechNet)
Submitter Peter Upfold
Submitter Website https://peter.upfold.org.uk/
Submitter Twitter PeterUpfold
Views 7756
Verified No
WPVDB ID 9237

Timeline

Publicly Published 2019-03-17 (7 months ago)
Added 2019-03-20 (7 months ago)
Last Updated 2019-03-20 (7 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin