Login

Tag Archives: Easy WP SMTP

5 Dec 2022

Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website

Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability likely to be exploited by a hacker. At the end of the week, they put out information on what they claimed were vulnerabilities that had existed in a plugin, Easy WP SMTP, used by at least one of our customers, so we went to check over that. What we found is that they were not vulnerabilities, as the “attacker” would already need to have control of the website, because they would need to be logged in as an Administrator.

One of those was claimed to be an authenticated arbitrary file deletion vulnerability, described this way: [Read more]

7 Oct 2022

Not Really a WordPress Plugin Vulnerability, Week of October 7

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

PHP Object Injection in Easy WP SMTP

One of the changelog entries for version 1.4.9 of Easy WP SMTP is: [Read more]

22 Mar 2019

WordPress Plugin Developers and Users Should Be Proactive, Not Reactive, About the Security of Them

This week the WordPress plugins Easy WP SMTP and Social Warfare had vulnerabilities, which have now been fixed, widely exploited. In both cases the vulnerabilities were not due to obscure issues that no one had ever heard of before, but they were due to the failure to do security basics. In the case of both plugins, even after having vulnerabilities  exploited, the developers still haven’t fully fixed up the security of the code related the vulnerabilities (and the WordPress team has allowed them to remain in the Plugin Directory despite that).

Both plugins have started picking up quite a few negative reviews since the exploitation. [Read more]

22 Mar 2019

Not Really a WordPress Plugin Vulnerability, Week of March 22

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Stored XSS and Password Viewing in Easy WP SMTP

In a reply in a topic about the vulnerability that was being exploited this week in Easy WP SMTP, which was subsequently deleted (as were numerous other replies), someone asked if the vulnerabilities that a report claimed existed in the plugin had been fixed. That report is nearly two years old, but we are always looking to have our data be more complete even if involves adding something fixed long ago. But what we found is that there really wasn’t a vulnerability as the person making the claim seemed to not have a great understanding of the WordPress security model. [Read more]

20 Mar 2019

WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up,  one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:

Hi, [Read more]

19 Mar 2019

Other WordPress Plugin Vulnerability Data Sources Still Not Warning About Fixed or Unfixed Vulnerabilities in Easy WP SMTP

Today we have had a lot of traffic coming to our website to our posts about the vulnerabilities fixed and unfixed in the plugin Easy WP SMTP. The likely explanation is what else we have been seeing today, as in terms of dealing with the cleanup of hacked WordPress websites over at our main business and other mentions of hacked websites, we are seeing indications that the option update vulnerability that was fixed with that and possibly the other recently fixed option update vulnerability impacting many plugins are being exploited widely to change the WordPress option “siteurl” on websites to cause requests to be made to “getmyfreetraffic.com” (based on past experience with this type of vulnerability that likely isn’t the only thing the hackers are doing with the vulnerabilities on those websites).

Customers of our service using that plugin have already been warned about the fixed and unfixed vulnerabilities in that plugin, but for anyone relying on other data sources for info on vulnerabilities in plugins they use, they are so far in the dark. [Read more]

18 Mar 2019

Missed Vulnerabilities in Easy WP SMTP Show Why Checking Over Security Fixes is Important

One of the things that we do to make sure we are providing our customers with the best data on vulnerabilities in WordPress plugins they might be using is that we monitor the changelog for plugins to spot the possibility that vulnerabilities have been fixed and then we try to figure if the changes actually involve a vulnerability. In doing that we have often found that vulnerabilities have only been partially fixed or haven’t been fixed at all. That is the case with the plugin Easy WP SMTP, which has 300,000+ active installations according to wordpress.org, where we reviewed the changes made before the discoverer had put out a post on the vulnerabilities.

The changelog for the latest release of that is: [Read more]

18 Mar 2019

Vulnerability Details: Option Update Vulnerability in Easy WP SMTP

The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. The most serious of those, an option update vulnerability, was already being exploited before it was fixed according to the discoverer NinTechNet.

[Read more]

18 Mar 2019

Vulnerability Details: Information Disclosure in Easy WP SMTP

The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. Looking at the changes made in that version we found that as of the previous version even some one not logged in to WordPress could export all of the plugin’s settings, which would include the login details for a SMTP server.

[Read more]

18 Mar 2019

Vulnerability Details: PHP Object Injection in Easy WP SMTP

The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. Looking at the changes made in that version we noticed that in the import portion of that there was previously a PHP object injection vulnerability and there is still a CSRF issue related to that.

[Read more]