CVE-2020-35234
published 2020-12-14CVE-2020-35234: The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.41%
99.1th percentile
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wp-ecommerce | easy_wp_smtp | < 1.4.4 | 1.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP GET /wp-content/plugins/easy-wp-smtp/logs/ returning status 200 with body containing 'Index of', 'Parent Directory', 'easy-wp-smtp', '.txt'
- →Look for unauthenticated HTTP GET requests to /wp-content/plugins/easy-wp-smtp/logs/ or /wp-content/plugins/easy-wp-smtp/ that return a directory listing (HTTP 200 with 'Index of', 'Parent Directory', 'easy-wp-smtp', and '.txt' in the response body). ↗
- →Monitor for access to debug log files matching the pattern #############_debug_log.txt inside the easy-wp-smtp plugin directory, which may contain password-reset links. ↗
- →Detect exploitation pattern: a password-reset request for an admin account followed shortly by a GET request to the easy-wp-smtp debug log path, indicating an attacker harvesting the reset link. ↗
- →Alert on directory listing responses (body containing 'Index of') for any path under /wp-content/plugins/easy-wp-smtp/, as the absence of index.html in the plugin folder enables directory browsing. ↗
- →Check response body for keywords 'debug', 'log', and 'Index of' together when accessing the easy-wp-smtp plugin directory, as used in active exploitation templates. ↗
- ·The debug log is only created if debug mode is enabled in the plugin AND at least one email has been sent through the plugin. If neither condition is met, the log file will not exist even if directory listing is enabled. ↗
- ·The Metasploit module includes an 'Aggressive' mode that bypasses the check for the debug log file's existence, meaning exploitation attempts may occur even when no log file is present. ↗
- ·This vulnerability was actively exploited in the wild in December 2020, indicating real-world attacker interest and a high EPSS score (0.81457, 99.177th percentile). ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m9j8-w3jp-p7wq: The easy-wp-smtp plugin before 1
ghsa_unreviewed·2022-05-24
CVE-2020-35234 [HIGH] CWE-532 GHSA-m9j8-w3jp-p7wq: The easy-wp-smtp plugin before 1
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.
VulnCheck
wp-ecommerce easy_wp_smtp Insertion of Sensitive Information into Log File
vulncheck·2020·CVSS 7.5
CVE-2020-35234 [HIGH] wp-ecommerce easy_wp_smtp Insertion of Sensitive Information into Log File
wp-ecommerce easy_wp_smtp Insertion of Sensitive Information into Log File
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.
Affected: wp-ecommerce easy_wp_smtp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2020-35234; https://www.cve.org/CVERecord?id=CVE-2020-
No detection rules found.
Metasploit
WordPress Easy WP SMTP Password Reset
metasploit
WordPress Easy WP SMTP Password Reset
WordPress Easy WP SMTP Password Reset
Wordpress plugin Easy WP SMTP versions <= 1.4.2 was found to not include index.html within its plugin folder. This potentially allows for directory listings. If debug mode is also enabled for the plugin, all SMTP commands are stored in a debug file. An email must have been sent from the system as well to create the debug file. If an email hasn't been sent (Test Email function not included), Aggressive can bypass the last check. Combining these items, it's possible to request a password reset for an account, then view the debug file to determine the link that was emailed out, and reset the user's password.
Nuclei
WordPress Easy WP SMTP - Log Exposure
nuclei·CVSS 7.5
CVE-2020-35234 [HIGH] WordPress Easy WP SMTP - Log Exposure
WordPress Easy WP SMTP - Log Exposure
Detected WordPress Easy WP SMTP plugin debug log file exposed via directory listing, potentially revealing sensitive email contents including password reset links.
Template:
id: wp-easy-wp-smtp-log-exposure
info:
name: WordPress Easy WP SMTP - Log Exposure
author: 0x_Akoko
severity: medium
description: |
Detected WordPress Easy WP SMTP plugin debug log file exposed via directory listing, potentially revealing sensitive email contents including password reset links.
reference:
- https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
- https://nvd.nist.gov/vuln/detail/CVE-2020-35234
- https://wpscan.com/vulnerability/10494
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-i
Nuclei
SMTP WP Plugin Directory Listing
nuclei·CVSS 7.5
CVE-2020-35234 [HIGH] SMTP WP Plugin Directory Listing
SMTP WP Plugin Directory Listing
The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access.
Template:
id: CVE-2020-35234
info:
name: SMTP WP Plugin Directory Listing
author: PR3R00T
severity: high
description: The WordPress Easy WP SMTP Plugin has its log folder remotely accessible and its content available for access.
impact: |
Low: Information disclosure
remediation: Upgrade to version 1.4.3 or newer and consider disabling debug logs.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35234
- https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/
- https://wordpress.org/plugins/easy-wp-smtp/#developers
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
cla
No writeups or analysis indexed.
2020-12-14
Published
Exploited in the wild