, Attack on WordPress sites exploits a zero-day in a plugin.

Two groups of hackers targeted Easy WP SMTP. The bug in the popular plugin allowed you to take total control of the site. WordPress is by far the most popular backend for managing Internet sites. According to W3Techs data, it is used for 33.4% of the sites in the world. The Content Management System, however, also has another, decidedly less exciting record: 90% of sites hacked in 2018 used the open source CMS.

The fault would be the numerous plugins available for the platform, whose frequent security bugs are a boon for hackers who aim to compromise Web sites. To confirm the theory of security experts comes the case of Easy WP SMTP, a WordPress plugin that allows you to configure and manage the SMTP service for sending emails with more than 300,000 active installations.

Attacks on sites using Easy WP SMTP were detected for the first time last Friday by NinTechNet, which published an alert on its website. The cyber-criminals exploited a vulnerability in version 1.3.9 of the plugin related to the settings import and export system, which in practice allows operations even without authentication.

Easy WP SMTP

Worse still: the import system allows you to modify the wp_options table, allowing cyber criminals to create a new user with administrator powers and take control of the Internet site. The attacks, examined in detail also by WordFence experts in this report, would have been carried by two distinct groups of computer hackers, who used exactly the technique identified by NinTechNet in the first attacks.

However, the two groups would use the Easy WP SMTP flaw for different purposes. One, in fact, would limit itself to inserting a backdoor that allows access to it. The second, however, would use sites to divert visitors to web pages containing malware.

The suggestion, for all WordPress administrators who use the plugin, is of course to immediately update to the new version 1.3.9.1 and perform a scan and check of their site to verify that it has not already been hit.

Source:

Mar 22, 2019 Marco Schiaffino Attacks, Hacking, Highlights, Intrusion, Malware, News, RSS, Vulnerability

General