Vulnerability Description
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wp-Ecommerce | Easy Wp Smtp | <= 1.3.9 |
Related Weaknesses (CWE)
References
- https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-Exploit
- https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=205205Patch
- https://wordpress.org/support/topic/vulnerability-26/ExploitIssue TrackingMitigation
- https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aeeBroken LinkThird Party Advisory
- https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-Exploit
- https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=205205Patch
- https://wordpress.org/support/topic/vulnerability-26/ExploitIssue TrackingMitigation
- https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aeeBroken LinkThird Party Advisory
FAQ
What is CVE-2019-25141?
CVE-2019-25141 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition ...
How severe is CVE-2019-25141?
CVE-2019-25141 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-25141?
Check the references section above for vendor advisories and patch information. Affected products include: Wp-Ecommerce Easy Wp Smtp.