CVE-2019-25141

CRITICAL EXPLOITED NUCLEI

Easy WP SMTP <1.3.9 - Auth Bypass

Title source: llm

Description

The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.

Nuclei Templates (1)

Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update

CRITICALVERIFIEDby DhiyaneshDK

References (4)

[Exploit] https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/

[Patch] https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=

[Exploit, Issue Tracking, Mitigation] https://wordpress.org/support/topic/vulnerability-26/

[Broken Link, Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve

Scores

CVSS v3 9.8

EPSS 0.6286

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2014-07-23

CWE

CWE-862

Status published

Products (2)

smub/Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more < 1.3.9.1

wp-ecommerce/easy_wp_smtp < 1.3.9

Published Jun 07, 2023

Tracked Since Feb 18, 2026