cbcvebase.
CVE-2020-35234
published 2020-12-14

CVE-2020-35234: The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list…

PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
63.41%
99.1th percentile
The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.

Affected

1 ranges
VendorProductVersion rangeFixed in
wp-ecommerceeasy_wp_smtp< 1.4.41.4.4

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/easy-wp-smtp/logs/
path/wp-content/plugins/easy-wp-smtp/
filename#############_debug_log.txt
sigma
HTTP GET /wp-content/plugins/easy-wp-smtp/logs/ returning status 200 with body containing 'Index of', 'Parent Directory', 'easy-wp-smtp', '.txt'
  • Look for unauthenticated HTTP GET requests to /wp-content/plugins/easy-wp-smtp/logs/ or /wp-content/plugins/easy-wp-smtp/ that return a directory listing (HTTP 200 with 'Index of', 'Parent Directory', 'easy-wp-smtp', and '.txt' in the response body).
  • Monitor for access to debug log files matching the pattern #############_debug_log.txt inside the easy-wp-smtp plugin directory, which may contain password-reset links.
  • Detect exploitation pattern: a password-reset request for an admin account followed shortly by a GET request to the easy-wp-smtp debug log path, indicating an attacker harvesting the reset link.
  • Alert on directory listing responses (body containing 'Index of') for any path under /wp-content/plugins/easy-wp-smtp/, as the absence of index.html in the plugin folder enables directory browsing.
  • Check response body for keywords 'debug', 'log', and 'Index of' together when accessing the easy-wp-smtp plugin directory, as used in active exploitation templates.
  • ·The debug log is only created if debug mode is enabled in the plugin AND at least one email has been sent through the plugin. If neither condition is met, the log file will not exist even if directory listing is enabled.
  • ·The Metasploit module includes an 'Aggressive' mode that bypasses the check for the debug log file's existence, meaning exploitation attempts may occur even when no log file is present.
  • ·This vulnerability was actively exploited in the wild in December 2020, indicating real-world attacker interest and a high EPSS score (0.81457, 99.177th percentile).

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.