Vulnerability in WordPress Post SMTP Plugin Allows Site Takeover: Affecting Over 200,000 Websites
Urgent Security Alert: Post SMTP Plugin Vulnerability Puts 200,000+ WordPress Sites at Risk of Takeover
A critical security vulnerability has been discovered in the Post SMTP plugin, a popular tool used on over 200,000 WordPress websites to ensure reliable email delivery. This flaw is exceptionally dangerous, as it can allow an unauthenticated attacker to gain complete administrative control over an affected website, leading to a full site takeover.
If you use the Post SMTP plugin on your WordPress site, immediate action is required to protect your data, users, and reputation.
Understanding the Critical Flaw
The vulnerability is a type of authorization bypass that leads to privilege escalation. In simple terms, a security loophole in the plugin’s setup wizard allows anyone to reset the system’s security credentials.
Here’s how it works: An attacker can exploit the connection between the plugin and its third-party API. By intercepting a specific authorization code during a simulated setup process, the attacker can then use that code to authorize themselves as an administrator.
Once authorized, the attacker can perform a series of malicious actions, including:
- Resetting the password of any user, including the primary administrator.
- Creating new, hidden administrator accounts.
- Installing malicious plugins or themes.
- Injecting malware or backdoors for persistent access.
- Redirecting your website traffic to scam sites.
The most alarming aspect of this vulnerability is that it requires no prior authentication. An attacker doesn’t need a username or password to initiate the attack, making any vulnerable website a potential target.
Who Is at Risk?
This vulnerability affects all versions of the Post SMTP plugin up to and including version 2.8.7. A patched version, 2.8.8, has been released to address this critical issue.
With over 200,000 active installations, the potential impact is massive. Every website running a vulnerable version of the plugin is exposed and should be considered at immediate risk of compromise.
How to Protect Your WordPress Website Immediately
Protecting your site from this exploit is straightforward but requires urgent attention. Follow these steps to secure your website now.
1. Update the Post SMTP Plugin Immediately
This is the single most important step. A patched and secure version of the plugin is available.
- Log in to your WordPress dashboard.
- Navigate to Dashboard > Updates.
- Look for the Post SMTP plugin and select it.
- Click the “Update Plugins” button.
- You must update to version 2.8.8 or newer.
If you do not see an update notification, go directly to Plugins > Installed Plugins, find Post SMTP, and check the version number. If it is 2.8.7 or below, you must update.
2. Verify the Update Was Successful
After updating, confirm that the new version is active. Go back to the Plugins > Installed Plugins page and ensure Post SMTP now shows version 2.8.8 or higher.
3. Check for Signs of Compromise
Even if you update quickly, it’s wise to check for any suspicious activity.
- Review User Accounts: Go to Users > All Users in your WordPress dashboard. Look for any administrator accounts you don’t recognize. If you find one, delete it immediately.
- Inspect Your Site’s Files: Look for unusual files or recently modified core files. If you are not comfortable doing this, consider using a security plugin to scan your site.
- Check for Unknown Plugins or Themes: Ensure no unauthorized plugins or themes have been installed.
4. Implement General WordPress Security Best Practices
This incident is a stark reminder that proactive security is essential. To harden your website against future threats, you should:
- Maintain Regular Backups: Ensure you have recent, complete backups of your website stored in a secure, off-site location.
- Use a Web Application Firewall (WAF): A WAF can block many common attacks before they ever reach your website.
- Enforce Strong Passwords: Use complex, unique passwords for all user accounts, especially for administrators.
- Limit User Permissions: Only grant administrator access to those who absolutely need it. Assign lower-level roles like “Editor” or “Author” to other users.
Staying vigilant about plugin updates is a cornerstone of responsible website management. This Post SMTP vulnerability is a serious threat, but by taking swift and decisive action, you can ensure your website remains secure.
Source: https://securityaffairs.com/180484/security/critical-wordpress-post-smtp-plugin-flaw-exposes-200k-sites-to-full-takeover.html
