WordPress Easy WP SMTP plugin fixed a zero-day vulnerability affecting version 1.4.2 and below that could allow an unauthenticated user to reset the admin password.
The plugin has 500,000 + active installations.
The plugin has an optional debug log where it writes all email messages including headers and body sent by the blog. The log is located inside the plugin`s installation folder “wp-content/plugins/easy-wp-smtp”/
“The plugin’s folder doesn’t have any index.html file, hence on servers that have directory listing enabled, hackers can find and view the log:” Said by Jerome Bruandet
Credits: Ninja Technologies Network (NinTechNet)
A password reset requires sending an email with the password reset link to the admin’s email account. The email is also recorded in the Debug log.
Credit:Ninja Technologies Network (NinTechNet)
Once the attacker has grabbed the password reset link they can proceed to the Admin dashboard, upload malicious plugins, take over the website and download the database.
Update immediately if you have version 1.4.2 or below installed.