CVE-2019-25141 – The Easy WP SMTP WordPress plugin up to version... (How to Fix)

Q: What is the severity of CVE-2019-25141?

CVE-2019-25141 has a CVSS score of 9.8 (CRITICAL). The Easy WP SMTP WordPress plugin up to version 1.3.9 has an authorization bypass vulnerability that allows unauthenticated attackers to modify plugin settings and create administrative user accounts. This occurs due to missing capability checks and insufficient input validation in the admin_init() function. Any WordPress site using the vulnerable plugin versions is affected.

📋 TL;DR

The Easy WP SMTP WordPress plugin up to version 1.3.9 has an authorization bypass vulnerability that allows unauthenticated attackers to modify plugin settings and create administrative user accounts. This occurs due to missing capability checks and insufficient input validation in the admin_init() function. Any WordPress site using the vulnerable plugin versions is affected.

💻 Affected Systems

Products:

Easy WP SMTP WordPress Plugin

Versions: Up to and including 1.3.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Easy Wp Smtp by Wp Ecommerce

View all CVEs affecting Easy Wp Smtp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with attacker creating administrative accounts, installing backdoors, defacing content, and stealing sensitive data.

🟠

Likely Case

Attackers create hidden admin accounts to maintain persistent access, then deploy malware, redirect traffic, or exfiltrate data.

🟢

If Mitigated

With proper network segmentation and monitoring, unauthorized admin account creation would be detected and blocked before significant damage.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be compromised if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code requiring only HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.0 and later

Vendor Advisory: https://wordpress.org/plugins/easy-wp-smtp/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Easy WP SMTP. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.4.0+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Easy WP SMTP plugin until patched

wp plugin deactivate easy-wp-smtp

Restrict Admin Access

linux

Limit access to WordPress admin area to specific IP addresses

# Add to .htaccess for Apache:
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
# Or use web application firewall rules

🧯 If You Can't Patch

Remove the Easy WP SMTP plugin completely and use alternative SMTP solutions
Implement strict network monitoring for unauthorized admin user creation and plugin setting changes

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Easy WP SMTP version ≤1.3.9

Check Version:

wp plugin get easy-wp-smtp --field=version

Verify Fix Applied:

Confirm plugin version is 1.4.0 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin-post.php with swpsmtp actions
Sudden creation of new administrator accounts
Changes to Easy WP SMTP settings from unexpected IPs

Network Indicators:

HTTP requests containing 'swpsmtp' parameters from unauthenticated sources
Unusual traffic patterns to WordPress admin endpoints

SIEM Query:

source="wordpress.log" AND ("admin-post.php" AND "swpsmtp") OR ("user created" AND "administrator")

📊 Metadata

CVE ID: CVE-2019-25141

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: June 7, 2023

Last Updated: November 21, 2024

🔗 References

https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/ Exploit
https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail= Patch
https://wordpress.org/support/topic/vulnerability-26/ Exploit,Issue Tracking,Mitigation
https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve Broken Link,Third Party Advisory
https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/ Exploit
https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail= Patch
https://wordpress.org/support/topic/vulnerability-26/ Exploit,Issue Tracking,Mitigation
https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve Broken Link,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25141, you might also want to check these: