Easy WP SMTP 0-Day vulnerability
Easy WP SMTP is a very popular WordPress plugin that provides routing outgoing emails from a WordPress site to an SMTP server of choice. It is a great tool for resolving issues with the email delivery, we have used it on many occasions with our client sites, it has 300,000+ active installs and it is regularly updated. This is why it came as a shock when it was reported that the latest version of the plugin (1.3.9) had a serious security issue that led to a lot of sites being hacked.
The plugin vulnerability was discovered on March 15th by the Ninja Technologies Network, after it was caught by their plugin NinjaFirewall (WP edition). They immediately notified the plugin authors and a patch was released on March 17th, but some damage has already been done and many of those who are still unaware of the vulnerability are at risk of having their sites hacked.
The root of the vulnerability is in the Import/Export functionality which was added to Easy WP SMTP in version 1.3.9. The hackers found a hole in the function part of this feature that allowed them to alter the site’s overall settings – not just the ones related to the plugin.
Every WordPress site has an ‘Anyone can register’ option, which some admin users keep disabled for security purposes. There is also another option called ‘default role’. Usually, this option is set to ‘subscriber’, although it can be changed. Of course, no one wants to allow anyone to register as an admin, but other options include registering as an editor, contributor, or a custom role provided by a plugin (or hard-coded by a developer).
What hackers did was to enable the option ‘Anyone can register’. After that, they were able to register as many accounts as they wanted with the role of ‘subscriber’. The subscriber role doesn’t provide any significant control over the site by default, but hackers would then change the abilities to grant the ‘subscriber’ role the same permissions as ‘administrator’.
In the follow-up attacks, the method was changed and simplified. Instead of having to enable ‘Anyone can register’ and creating subscriber accounts, granting them admin privileges, hackers have modified the ‘Default role’ instead, thereby making any newly registered user an admin.
As an admin user, a hacker would then have complete control over the infected WordPress site.
Who exploited Easy WP SMTP?
Although both hacking groups used the same method to gain access to sites, their actions were not the same afterwards. While one group did nothing after setting up a number of rogue admins (probably for later use), the second group went ahead and made modifications to the site to set up malicious redirects.
Although no other specific information has been unveiled about the hackers, all users should be on the lookout if they notice the following:
Logged traffic from these IPs
Database siteurl and home values not matching their intended values, especially including the following domains
Administrator accounts present for unknown users. For example
– Malicious tags injected into the first line of index.php files. For example:
Modifications made by hackers
It sounds scary enough when you say that a hacker was able to access the site as an admin, but that’s not where it ends. This is actually the beginning. After they gain access to the site, hackers need to make changes to achieve their goals.
As mentioned earlier, while one of the hacking groups stopped after creating a number of admin users, the other group made modifications to the site files and database. The option values
home, which can be found in the wp_options table of the WordPress database, were altered to trigger malicious redirects when the site is visited. In this case, infected site visitors were redirected to tech support scams with a warning that users computers may be affected by the Zeus virus.
They’ve also injected malicious scripts into all PHP files that contained the string ‘index’ in their filename. This -obviously- applies to index.php files but also happens to impact some files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.
As reported by Defiant, two domains were used in options values changes and script injections: setforconfigplease[.]com and getmyfreetraffic[.]com.
Notably, both of these domains resolve to the same host IP address, which also hosts the malicious domains somelandingpage[.]com and setforspecialdomain[.]com, both of which have been seen in similar attack campaigns.
Checking your site for being infected
If you are running the compromised version (1.3.9) of the plugin Easy WP SMTP, it is mandatory to update it to version 126.96.36.199 as soon as possible. If you already did that and didn’t notice that your site was hacked, here are some things you can check just in case:
- Check your WordPress “Settings > General” page: Make sure nothing has tampered with(URL, Email Address, Membership and New User Default Role).
- Check your WordPress “Users” page: Look for new users, weird admin accounts, check the admin email address etc.
- Change all WordPress User passwords, especially those for Administrators, Editors, Authors, and Contributors.
- Check your WordPress
wp_options* table in the database: Make sure
wp_user_roles*, which contains user roles and capabilities, hasn’t been tampered with.
- Scan your files too, hackers may have uploaded backdoors.
- Change your SMTP password, hackers may have stolen it.
- Install a web application firewall to protect your blog.
*If you changed your WordPress database prefix, replace
wp_ with the correct one.
If you are still having doubts, check our WordPress Malware Removal Service and we will scan, clean and secure your WordPress the site for you.
The Easy WP SMTP 0-day aftermath
Even after the updated version of the plugin was released, attacks were still being reported by users on many support forums, including WordPress.org. Some users were not sure what was going on and they reported that someone was able to register themselves as admin on their site. Others were well aware that they were hacked and disappointed.
This goes to show that the time between the publication of vulnerability details and the first round of attacks can be incredibly short. It also points out how important it is to secure the site properly. Since WordPress is the most popular CMS, it is not a surprise that 90% of the hacked websites are built on WordPress.
While it is important to update plugins regularly, that advice cannot be applied in this case, since it was the latest version of the plugin that was hacked. So, can we blame the end-user in this case? Not entirely. This was a mistake on the plugin authors’ side. Still, those who implemented a good security plugin or had a firewall provided by a premium service were protected even against this.