Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much attention? Well maybe because this plugin has more than 300.000 active installs and perhaps because the vulnerability is easily exploitable with a high attack success rate. Let’s take a look closer what is happening, but before we proceed, I would like to recommend you update the Easy WP SMTP plugin to the latest available version (version if you use it on your WordPress site.

Easy WP SMTP plugin zero-day vulnerability

Easy WP SMTP is quite a popular WordPress plugin with more than 300.000 active installs. It is designed to make it easier to configure and send outgoing emails from your WordPress site via SMTP server instead of using native wp_mail() function.

Like most of the WordPress plugins Easy WP SMTP plugin has an administration page which allows specifying data necessary for SMTP configuration and more. Also, there is a function to export and export settings, and that’s where the vulnerability was discovered by Nintechnet.

The vulnerability could be exploited even by unauthenticated visitors. And there are several attack vectors possible leading to gaining an administrator level user or sensitive data leak like SMTP credentials.

Nintechnet even published the POC (proof of concept) of two steps:

1. Create a file name “/tmp/upload.txt” and add this content to it:


2. Upload the file:

$ curl -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt'

These two steps will make it possible to register on this site with the administrator role. It’s more than enough to take over the control of the site. Several resources can help an attacker to find the websites equipped with this plugin and if you remember we are talking about 300.000 websites.

According to Nintechnet, they notified the Easy WP SMTP plugin authors about the security issue on 2019 March 15, patched version of the plugin was available on 2019 March 17.

What’s happening now?

We have checked the statistics of this plugin, and we see some frightening things. WordPress plugin repository says that there are more than three hundred thousand active installations. Also, the same page provides more data about downloads each day.

Easy WP SMTP plugin statistics

The last peak on the graph shows results for 2019 March 18. And now the scary part:

  • Downloads today – 16,289
  • Downloads yesterday – 17,930
  • Downloads for last 7 Days – 96,120

What we want to say is that there are 300k+ websites with this plugin and the download counter tells us that there are more than 200k+ websites still vulnerable. Why? Because security is not taken seriously yet. The WordPress community still has no habit of tracking security news and taking urgent action if the situation requires so.

That’s why we have built the WordPress vulnerability database and provide the API connection to it from our WordPress security plugin. To provide critical information on time and save your websites and reputation from trouble.

We hope that this vulnerability will be managed appropriately by all users and hosting companies and will not harm the reputation of WordPress. Keep your websites up to date, don’t forget to monitor the behavior of your sites and stay safe.

Darius S.

Similar Posts

ThreatPress API keys

Free WordPress Vulnerability Database API

Recently, we received a few queries related to our services, specifically for WordPress Vulnerability Database. So to make it clear we ...

CIA triad - information security

CIA triad in the WordPress and WooCommerce security perspective

CIA triad is an abbreviation for confidentiality, integrity, and availability. The CIA triad is considered to be the basis for all ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

Leave a Reply

Your email address will not be published. Required fields are marked *