CVE-2019-25141
Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
Severity Score
9.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
*Credits:
Jerome Bruandet
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-03-17 CVE Published
- 2023-06-06 CVE Reserved
- 2024-07-09 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve | Broken Link |
| URL | Date | SRC |
|---|---|---|
| https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin | 2024-08-05 | |
| https://wordpress.org/support/topic/vulnerability-26 | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail= | 2023-11-07 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wp-ecommerce Search vendor "Wp-ecommerce" | Easy Wp Smtp Search vendor "Wp-ecommerce" for product "Easy Wp Smtp" | <= 1.3.9 Search vendor "Wp-ecommerce" for product "Easy Wp Smtp" and version " <= 1.3.9" | wordpress |
Affected
| ||||||