CVE-2020-35234

HIGH EXPLOITED IN THE WILD NUCLEI

Easy WP SMTP < 1.4.4 - Administrator Account Takeover via Password Reset Link Exposure in Debug Log

Title source: llm

Exploitation Summary

CVE-2020-35234 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including h00die, including a Metasploit module auxiliary/scanner/http/wp_easy_wp_smtp. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in WordPress Easy WP SMTP plugin (versions <= 1.4.2) by leveraging directory listing and debug log exposure to reset user passwords. It sends a password reset request and retrieves the reset link from the debug log.

Description

The easy-wp-smtp plugin before 1.4.4 for WordPress allows Administrator account takeover, as exploited in the wild in December 2020. If an attacker can list the wp-content/plugins/easy-wp-smtp/ directory, then they can discover a log file (such as #############_debug_log.txt) that contains all password-reset links. The attacker can request a reset of the Administrator password and then use a link found there.

Exploits (1)

metasploit WORKING POC

by h00die · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_easy_wp_smtp.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in WordPress Easy WP SMTP plugin (versions <= 1.4.2) by leveraging directory listing and debug log exposure to reset user passwords. It sends a password reset request and retrieves the reset link from the debug log.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: WordPress Easy WP SMTP plugin <= 1.4.2

No auth needed

Prerequisites: Directory listing enabled · Debug mode enabled in the plugin · A debug log file must exist (or AGGRESSIVE mode enabled)

MITRE ATT&CK

T1592 - Gather Victim Host Information T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SMTP WP Plugin Directory Listing

HIGHby PR3R00T

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://blog.nintechnet.com/wordpress-easy-wp-smtp-plugin-fixed-zero-day-vulnerability/

Product, Release Notes, Third Party Advisory x_refsource_misc

https://wordpress.org/plugins/easy-wp-smtp/#developers

Scores

CVSS v3 7.5

EPSS 0.6341

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2020-12-13

InTheWild.io 2020-12-15

CWE

CWE-532

Status published

Products (1)

wp-ecommerce/easy_wp_smtp < 1.4.4

Published Dec 14, 2020

Tracked Since Feb 18, 2026