CVE-2019-25141

CRITICAL EXPLOITED NUCLEI

Easy WP SMTP < 1.3.9 - Unauthenticated Authorization Bypass via admin_init()

Title source: llm

Exploitation Summary

CVE-2019-25141 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.

Nuclei Templates (1)

Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update

CRITICALVERIFIEDby DhiyaneshDK

References (4)

Core 4

Core References

Exploit

https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin/

Patch

https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=

Exploit, Issue Tracking, Mitigation

https://wordpress.org/support/topic/vulnerability-26/

Broken Link, Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve

Scores

CVSS v3 9.8

EPSS 0.0446

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2014-07-23

CWE

CWE-862

Status published

Products (2)

smub/Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more < 1.3.9.1

wp-ecommerce/easy_wp_smtp < 1.3.9

Published Jun 07, 2023

Tracked Since Feb 18, 2026