Hackers can reset admin account passwords on WordPress sites using a zero-day vulnerability in the WP SMTP plugin which is currently installed on more than 500,000 sites. This Zero-day was patched on Monday and was used in attacks over the past weeks.
It affected the Easy WP SMTP version 1.4.2 and below, This plugin allows site admins to configure the SMTP settings.
Easy WP SMTP plugin has an optional feature that allows debugging logs to be stored inside the plugin’s installation folder, “wp-content/plugins/easy-wp-smtp/”. The text log file with random generated string and file name such as 5fcdb91308506_debug_log.txt. If the server has directory listing enabled anyone can have access to this log and view them.
Hackers can enumerate usernames through REST API JSON output or through different methods in order to exploit they need a username with administrator access.
After issuing a password reset through ‘/wp-admin’ it then stores debug logs inside the SMTP plugin directory which includes a password reset link.
With that link, the attacker can take over the site admin’s account.
“This vulnerability is currently exploited, make sure to update as soon as possible to the latest version,” Bruandet warned earlier this week on Monday.