常見的易遭受利用 WP WordPress Plugin
Popular WordPress plugin vulnerable to unauthenticated attacks continues to be targeted despite the availability of a patch.
背景說明
On March 17, researchers at Ninja Technologies Network (NinTechNet) published a blog about their discovery of a critical zero-day vulnerability in the Easy WP SMTP plugin that attackers began exploiting in the wild on March 15. According to WordPress, the Easy WP SMTP plugin has over 300,000 active installations. The Easy WP SMTP plugin authors released a patched version of the plugin on March 17. However, researchers at Defiant continue to observe attacks in the wild targeting this plugin.
分析
The vulnerability exists in version 1.3.9 of the Easy WP SMTP plugin. It was reportedly introduced when the authors added Import/Export functionality to the admin_init function. According to NinTechNet, this function is used to “view/delete the log, import/export the plugin configuration and to update options in the WordPress database.” The issue appears to be that any logged-in user is capable of executing these commands, as the code does not validate their privileges. What makes this more severe is the plugin’s use of AJAX, which is available in the admin_init function and allows unauthenticated users to execute these commands without logging into a vulnerable site.
概念驗證
NinTechNet provided a proof of concept in its blog post that uploads a file to a vulnerable WordPress site, modifying its settings to allow any user to register on the site and grant administrator permissions to all users. They also mention that this vulnerability could be leveraged to achieve remote code execution.
解決方法
The Easy WP SMTP plugin was updated to version 1.3.9.1 on March 17 to address this vulnerability. It is important for site administrators to ensure this plugin is up to date.
Site administrators must regularly review what plugins are running on their sites and whether they are up-to-date. Plugin updates may contain fixes for security issues and failure to update can leave sites vulnerable to compromise.
找出受影響的系統
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
取得更多資訊
- NinTechNet blog post
- Wordfence report on exploitation in the wild
- Easy WP SMTP plugin description page
加入 Tenable Community 的 Tenable 安全回應團隊。
深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。
Get a free 60-day trial of Tenable.io Vulnerability Management.
Satnam Narang
安全應變資深研發工程師
Satnam 於 2018 年加入 Tenable 公司。他在業界擁有 15 年的豐富經驗 (M86 Security 和賽門鐵克)。 他對於防網路釣魚工作小組 (Anti-Phishing Working Group) 多所貢獻,協助美國國家網路安全聯盟 (National Cyber Security Alliance) 開發一份社群網路指南 (Social Networking Guide),並且揭露了一個 Twitter 上的龐大垃圾郵件 botnet,同時也是第一個提報 Tinder 上垃圾郵件機器人的人。他還曾出現在 NBC 夜線新聞、Entertainment Tonight、Bloomberg West 以及 Why Oh Why 播客中。
他在工作之餘的興趣:Satnam 喜歡寫詩和創作嘻哈音樂。他喜歡參加現場音樂表演、和他 3 個姪女做伴、足球、藍球、看寶萊塢電影、玩音樂以及 Grogu (尤達寶寶)。