Easy WP SMTP 0-Day vulnerability
Easy WP SMTP is a very popular WordPress plugin that provides routing outgoing emails from a WordPress site to an SMTP server of choice. It is a great tool for resolving issues with the email delivery, we have used it on many occasions with our client sites, it has 300,000+ active installs and it is regularly updated. This is why it came as a shock when it was reported that the latest version of the plugin (1.3.9) had a serious security issue that led to a lot of sites being hacked.
The plugin vulnerability was discovered on March 15th by the Ninja Technologies Network, after it was caught by their plugin NinjaFirewall (WP edition). They immediately notified the plugin authors and a patch was released on March 17th, but some damage has already been done and many of those who are still unaware of the vulnerability are at risk of having their sites hacked.
The root of the vulnerability is in the Import/Export functionality which was added to Easy WP SMTP in version 1.3.9. The hackers found a hole in the function part of this feature that allowed them to alter the site’s overall settings – not just the ones related to the plugin.
Every WordPress site has an ‘Anyone can register’ option, which some admin users keep disabled for security purposes. There is also another option called ‘default role’. Usually, this option is set to ‘subscriber’, although it can be changed. Of course, no one wants to allow anyone to register as an admin, but other options include registering as an editor, contributor, or a custom role provided by a plugin (or hard-coded by a developer).
What hackers did was to enable the option ‘Anyone can register’. After that, they were able to register as many accounts as they wanted with the role of ‘subscriber’. The subscriber role doesn’t provide any significant control over the site by default, but hackers would then change the abilities to grant the ‘subscriber’ role the same permissions as ‘administrator’.
In the follow-up attacks, the method was changed and simplified. Instead of having to enable ‘Anyone can register’ and creating subscriber accounts, granting them admin privileges, hackers have modified the ‘Default role’ instead, thereby making any newly registered user an admin.
As an admin user, a hacker would then have complete control over the infected WordPress site.
Who exploited Easy WP SMTP?
Although both hacking groups used the same method to gain access to sites, their actions were not the same afterwards. While one group did nothing after setting up a number of rogue admins (probably for later use), the second group went ahead and made modifications to the site to set up malicious redirects.
Although no other specific information has been unveiled about the hackers, all users should be on the lookout if they notice the following:
Logged traffic from these IPs
Database siteurl and home values not matching their intended values, especially including the following domains
Administrator accounts present for unknown users. For example
– Malicious <script> tags injected into the first line of index.php files. For example:
Modifications made by hackers
It sounds scary enough when you say that a hacker was able to access the site as an admin, but that’s not where it ends. This is actually the beginning. After they gain access to the site, hackers need to make changes to achieve their goals.
As mentioned earlier, while one of the hacking groups stopped after creating a number of admin users, the other group made modifications to the site files and database. The option values
home, which can be found in the wp_options table of the WordPress database, were altered to trigger malicious redirects when the site is visited. In this case, infected site visitors were redirected to tech support scams with a warning that users computers may be affected by the Zeus virus.
They’ve also injected malicious scripts into all PHP files that contained the string ‘index’ in their filename. This -obviously- applies to index.php files but also happens to impact some files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.
As reported by Defiant, two domains were used in options values changes and script injections: setforconfigplease[.]com and getmyfreetraffic[.]com.
Notably, both of these domains resolve to the same host IP address, which also hosts the malicious domains somelandingpage[.]com and setforspecialdomain[.]com, both of which have been seen in similar attack campaigns.
Checking your site for being infected
If you are running the compromised version (1.3.9) of the plugin Easy WP SMTP, it is mandatory to update it to version 184.108.40.206 as soon as possible. If you already did that and didn’t notice that your site was hacked, here are some things you can check just in case:
- Check your WordPress General Settings Page and make sure nothing was changed. Take a look at the URL, Email Address, Membership and New User Default Role and make sure they are not showing any weird values.
- Visit your Users Page and look for any new users, weird admin accounts. Also, make sure to check their registered email address and see if they are current and valid.
- Change all WordPress user account passwords, especially those for Administrators, Editors, Authors, and Contributors.
- Check your WordPress wp_options* table in the database, especially the site_url and home option_value. Also make sure wp_user_roles*, which contains user roles and capabilities do not contain weird usernames and emails.
- Scan your WordPress files, hackers may have uploaded backdoors and used them to create Malware Redirects.
- Change your SMTP password because hackers may have stolen it.
*If you changed your WordPress database prefix, replace
wp_ with the one you used.
How to Fix Easy WP SMTP 0-day hack
If you’re one of the sites which got infected by this o-day vulnerability before installing the patched version then you should try and follow the following steps in order to clean your hacked WordPress website.
Delete any Unauthorized Admin User Accounts
Originally this 0-day vulnerability was exploited by creating unauthorized admin accounts so the first step is to check your WordPress users and delete the ones you didn’t authorize, especially under the administrator user role. You can also use a WordPress plugin and order the user list page by users registration date showing only those accounts created after the day WP Easy SMTP was exploited.
Reset Admin Account Password
This is a general action for every hacked site; change the password for all of your administrator accounts. We’d also suggest doing the same for all accounts except the ones who belong to the subscriber user role.
Uninstall the Infected WP Easy SMTP Plugin and Install the Patched One
It goes without saying that you must remove any trace of the infected plugin and replace it with the patched version 220.127.116.11.
Change your Email Settings
We strongly suggest to stop using your current email account and password and create a new pair. If you don’t want to miss any of the emails sent to your old email address then you should consider email forwarding.
Check your WordPress Database
As mentioned earlier you should inspect your WordPress options database table
Reset all of the WordPress Files
One of the safest ways to get rid of a hack is to reset your WordPress site. This means that you need to delete and replace each of your WordPress core files, themes and plugins. It also means that you must find the login details for any of the premium theme and plugin accounts you used while developing your website.
Reset your WordPress site using a backup
An alternative approach is to apply all the previous hacking fix steps but before that, you should restore your WordPress site using a backup before WP Easy SMTP was exploited. Then you should proceed to all the previous steps in order to clean your WordPress site.
The Easy WP SMTP 0-day aftermath
Even after the updated version of the plugin was released, attacks were still being reported by users on many support forums, including WordPress.org. Some users were not sure what was going on and they reported that someone was able to register themselves as admin on their site. Others were well aware that they were hacked and disappointed.
This goes to show that the time between the publication of vulnerability details and the first round of attacks can be incredibly short. It also points out how important it is to secure the site properly. Since WordPress is the most popular CMS, it is not a surprise that 90% of the hacked websites are built on WordPress.
While it is important to update plugins regularly, that advice cannot be applied in this case, since it was the latest version of the plugin that was hacked. So, can we blame the end-user in this case? Not entirely. This was a mistake on the plugin authors’ side. Still, those who implemented a good security plugin or had a firewall provided by a premium service were protected even against this.
Do you need help recovering and securing your hacked WordPress site?
If you are still having doubts, check our WordPress Hacked Fix Service and we will scan, clean and secure your WordPress the site for you.