More threads by djbaxter

djbaxter

Administrator
Joined
Jun 28, 2012
Messages
3,778
Solutions
2
Reaction score
1,877
Hackers Abusing Recently Patched Vulnerability In Easy WP SMTP Plugin
by Mikey Veenstra , Wordfence
March 20, 2019

Over the weekend, a vulnerability was disclosed and patched in the popular WordPress plugin Easy WP SMTP. The plugin allows users to configure SMTP connections for outgoing email, and has a userbase of over 300,000 active installs. The vulnerability is only present in version 1.3.9 of the plugin, and all of the plugin’s users should update to 1.3.9.1 as quickly as possible to address the flaw.

This vulnerability is under active attack, being used by malicious actors to establish administrative control of affected sites en masse. ....

The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers. As always, it’s important for users to regularly update their plugins in order to apply the security patches for vulnerabilities like these. Easy WP SMTP version 1.3.9.1 prevents unauthenticated access to the import script, as well as restricting affected options to only include expected values.

For typical WordPress users, if you believe your site may have been compromised as a result of this or any other vulnerability, consider reaching out to our team for a site cleaning. Otherwise, be on the lookout for the following indicators of compromise (IOCs):
  • Logged traffic from the following IPs:
    • 185.212.131.45
    • 185.212.128.22
    • 185.212.131.46
    • 86.109.170.200
  • Database siteurl and home values not matching their intended values, especially including the following domains:
    • setforconfigplease[.]com
    • getmyfreetraffic[.]com
  • Administrator accounts present for unknown users. For example:
    • devidpentesting99
    • larryking99
  • Malicious <script> tags injected into the first line of index.php files. For example:
    • <script type='text/javascript' async src='hXXps://setforspecialdomain[.]com/in2herg42t2?type=in2&frm=scr&'></script>


Read more...
 
Also:

Earlier today, an unnamed security researcher published a full disclosure of a stored Cross-Site Scripting (XSS) vulnerability present in the most recent version of popular WordPress plugin Social Warfare. The plugin, which was subsequently removed from the WordPress.org plugin repository, has an active install base of over 70,000 sites. The flaw allows attackers to inject malicious JavaScript code into the social share links present on a site’s posts, and is under active attack in the wild.

We've just published a brief PSA including recommendations for impacted site owners.

You can read the full post on the official Wordfence blog…
 

Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

LocalU Event

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Top Bottom