Hackers are resetting passwords for admin accounts on WordPress sites using a zero-day vulnerability in a popular WordPress plugin installed on more than 500,000 sites.
The zero-day was used in attacks over the past weeks and was patched on Monday.
It impacts Easy WP SMTP, a plugin that lets site owners configure the SMTP settings for their website’s outgoing emails.
According to the team at Ninja Technologies Network (NinTechNet), Easy WP SMTP 1.4.2 and older versions of the plugin contain a feature that creates debug logs for all emails sent by the site, which it then stores in its installation folder.
The plugin’s folder doesn’t have any index.html file, hence, on servers that have directory listing enabled, hackers can find and view the log, said NinTechNet’s Jerome Bruandet.