When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up, one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:
From which oldest version of EasySMTP the 0-day vulnerability is affected that is no patched with 220.127.116.11?
Also I really hate that there is no dates on released version of EasySMTP, as we had worked with bunch of companies in 2016 when we used EasySMTP for them.
The response from Jan starts:
I’ve removed the tag “0-day” as that term is mistakenly used too often.
While the term is often misused (and probably more accurately abused) by companies like the one behind the Wordfence Security plugin, this is an instance where it would seem to be accurate as the discoverer of the vulnerability NinTechNet wrote this about it:
The vulnerability, found in version v1.3.9, has been exploited by hackers since at least March 15, and was caught by our Web Application Firewall for WordPress, NinjaFirewall (WP Edition).
The vulnerability was fixed on March 17.
A zero-day vulnerability is one that is being exploited before the developer knows about it, so unless the developer knew about it before March 15, this was a zero-day.
What Jan gets very wrong is this though:
No one is going to dive into the old code and confirm or test.
That is exactly what we do with every vulnerability we add to our data set (it isn’t like this person isn’t aware of us, but they don’t seem to pay much attention from what we have seen).
In this case though you don’t have to do much diving as the changelog for the version this was fixed in is:
Fixed potential vulnerability in import\export settings.
One of the changelog entries for the previous version is:
Added Export\Import settings functionality.
In actually dive in to the code you will find the same thing, this vulnerability was added in version 1.3.9 of the plugin.
The previous version was released on March 3, so it took hackers less than two weeks to find and exploit it.
There is another related vulnerability that existed in previous versions of the plugin though, so another Jan’s recommendations would seem like a good idea:
if you or anyone is using a version less than 18.104.22.168 then assume you are vulnerable
But there is a problem with that as well, as the current version of the plugin is also publicly known to be vulnerable, which one of the of the moderators of the Support Forum decided to hide from the developer when we tried to notify them of it as part of our full disclosure of it.