CVE-2019-25141
published 2023-06-07CVE-2019-25141: The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.46%
90.2th percentile
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp-ecommerce | easy_wp_smtp | <= 1.3.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
othera:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}↗
- →Look for multipart upload of a .txt file via the swpsmtp_import_settings_file field containing a PHP serialized payload with users_can_register=1 and default_role=administrator, indicating an attempt to create a rogue admin account. ↗
- →A successful exploitation results in an HTTP 302 redirect to options-general.php?page=swpsmtp_settings; monitor for this response pattern following unauthenticated admin-ajax.php POSTs. ↗
- →Presence of the Easy WP SMTP plugin path in web server logs or HTTP responses can identify vulnerable targets. ↗
- ·The vulnerability affects Easy WP SMTP versions up to and including 1.3.9; version 1.4.0 and later are patched. Ensure version checks are scoped accordingly. ↗
- ·The exploit payload uses a known static MD5 checksum (3ce5fb6d7b1dbd6252f4b5b3526650c8) embedded in the serialized import file; this checksum may be used as a static signature but could be trivially altered by an attacker. ↗
- ·The Nuclei template is marked 'intrusive' — running this detection probe will actively attempt to modify WordPress site options and should only be used in authorized testing environments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rpx2-wvxr-qvrr: The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1
ghsa_unreviewed·2023-06-07
CVE-2019-25141 [CRITICAL] CWE-862 GHSA-rpx2-wvxr-qvrr: The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
VulnCheck
wp-ecommerce easy_wp_smtp Missing Authorization
vulncheck·2019·CVSS 9.8
CVE-2019-25141 [CRITICAL] wp-ecommerce easy_wp_smtp Missing Authorization
wp-ecommerce easy_wp_smtp Missing Authorization
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
Affected: wp-ecommerce easy_wp_smtp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.htm
No detection rules found.
Nuclei
Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
nuclei·CVSS 9.8
CVE-2019-25141 [CRITICAL] Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
Template:
id: CVE-2019-25141
info:
name: Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
author: DhiyaneshDK
severity: critical
description: |
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing
No writeups or analysis indexed.
https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=https://wordpress.org/support/topic/vulnerability-26/https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cvehttps://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=https://wordpress.org/support/topic/vulnerability-26/https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve
2023-06-07
Published
Exploited in the wild