Seems like WordPress can't catch a break. Another zero-day vulnerability in a plugin for WordPress which has been installed in more than 500,000 sites. In this particular vulnerability, it allows hackers to reset passwords for admin accounts.
This vulnerability was used for weeks on end and thankfully was patched Monday. It was able to impact Easy WP SMTP which is a plugin to let site owners to configure SMTP settings for outgoing emails. A company called Ninja Technologies Network or NinTechNet for short. They state that Easy WP SMTP 1.4.2 and older versions have a feature that creates debug logs for all emails and is stored in the installation folder.
"The plugin's folder doesn't have any index.html file, hence, on servers that have directory listing enabled, hackers can find and view the log," said NinTechNet's Jerome Bruandet. He also says that sites still running on these outdated versions the hackers have been able to automate the attacks to identify the admin account and do a password reset.
Since a password reset involves sending an email with the password reset link to the account, that very email is displayed in the Easy WP SMTP debug log. So, the attacker can grab the reset link and take over the account.
"This vulnerability is currently exploited, make sure to update as soon as possible to the latest version," Bruandet warned earlier this week on Monday.
Now there is Easy WP SMTP 1.4.4 which the developers found a workaround for the vulnerability by moving the debug logs into the WordPress logs folder. This is now the second vulnerability as the first one was found back in March of 2019 with the same plugin.
That vulnerability allowed backdoors on accounts. While it's an unfortunate situation this time with WordPress 5.5 where it has an auto-update feature, so an admin doesn't need to update it manually. But the question is if those sites are updated and have the auto-update feature enabled.
Hopefully a good admin who checks and updates regularly enable the auto-update to avoid this plugin mess.