The popular WordPress plug-in called "Easy WP SMTP Plug-In" with more than a hundred thousand effective installations has just discovered a risk, with which an attacker can take control of a site. The bug in this WordPress plugin enables Cyberpunks, Retune the administrator password and obtain full authorization for a website.
The identified vulnerability is in the debug log file, which is vulnerable due to a very fundamental flaw in how the plug-in manages a folder. Plug-in folder on the server with files, to be kept by users, which usually contain an empty index.html file. The purpose of this file is, to prevent someone from doing so, navigate to that folder and see the list of files in that directory.
If anyone is watching this list of files, he may be accessing these files, what the problem is.
The folder, in which this debug log file is present, does not contain an index.html file. On servers, on which the directory index lists are not disabled, a bad dodger can get access to this file by default.
First and foremost, they get the admin-level username from the WordPress site. they are trying, hack using known methods.
Then they go to the WordPress login page and send a request to reset the password for the administrator account.
They also get access to the debug log files and restore the link to reset the password, that the WordPress site sent. When they get this link, enter it, reset the password and then enjoy full access to the site.
This vulnerability plugin maintains a change log, that records all changes in each update. The change log must be read, so that a user can recognize, which update will be made.
When a vulnerability is discovered, is what the plug-in developers usually find out, that the vulnerability will be patched. This gives the WordPress developer the information, that he needs, to make an informed decision. A change log, that informs a publisher about it, that an update causes a vulnerability, enables the publisher, Make an informed decision about upgrading the plug-in, to avoid hacker attacks.
It is highly recommended, that all users of the Easy WP SMTP plug-in are upgraded to a higher version than version 1.4.2 To update.