CVE-2020-35234

Easy WP SMTP <= 1.4.2 - Sensitive Information Disclosure

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.

El plugin easy-wp-smtp versiones anteriores a 1.4.4 para WordPress, permite una toma de control de la cuenta de administrador, como es explotado "in the wild" en diciembre de 2020. Si un atacante puede enumerar el directorio wp-content/plugins/easy-wp-smtp/, entonces puede detectar un archivo de registro (como ############# _ debug_log.txt) que contiene todos los enlaces de restablecimiento de contraseña. El atacante puede pedir un restablecimiento de la contraseña de Administrador y luego usar un enlace que se encuentra allí.

Wordpress plugin Easy WP SMTP versions less than or equal to 1.4.2 was found to not include index.html within its plugin folder. This potentially allows for directory listings. If debug mode is also enabled for the plugin, all SMTP commands are stored in a debug file. An email must have been sent from the system as well to create the debug file. If an email hasnt been sent (Test Email function not included), Aggressive can bypass the last check. Combining these items, its possible to request a password reset for an account, then view the debug file to determine the link that was emailed out, and reset the users password.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-07 CVE Published
2020-12-14 CVE Reserved
2024-05-19 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (4)

URL	Tag	Source
https://wordpress.org/plugins/easy-wp-smtp/#developers	Product
https://wordpress.org/support/topic/security-issue-with-debug-log
https://plugins.trac.wordpress.org/changeset/2432768/easy-wp-smtp

URL	Date	SRC
https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wp-ecommerce Search vendor "Wp-ecommerce"		Easy Wp Smtp Search vendor "Wp-ecommerce" for product "Easy Wp Smtp"				< 1.4.4 Search vendor "Wp-ecommerce" for product "Easy Wp Smtp" and version " < 1.4.4"		wordpress		Affected