CP hacked via hidden outdated plugin, Easy WP SMTP

This is both a specific alert for the Easy WP SMTP plugin and a general warning.

I have just had a site hacked by someone initiating a password reset, then accessing some information that allowed them to reset the password externally. They then deactivated the firewall but didn’t do much else and I was able to restore a backup this morning.

Details are here: https://www.searchenginejournal.com/easy-wp-smtp-plugin-vulnerability/390109

I use this plugin on almost all my sites and when I checked it out, I found that it has had 2 updates recently, but was still showing as fully up-to-date on all my sites. This is because it had also been changed to “Requires WP 5.0 or higher”.

Apparently if you are using a plugin that was WP4.9 and gets changed to WP5+ then you will not receive any further update notices.

This indicates to me a very serious deficiency in how we are using plugins. Any plugin might be updated to fix some security flaw, but will not show up on our sites as needing an update if it also moved to >WP5. So we will happily be using the old, unsafe version… until we get hacked.

3 Likes

And this can be the end to the “if it works on 4.9 it is ok for CP” like we know it.

Now it’s “if it was ok on WP 4.9 it’s ok for CP but you will have to maintain it backporting security fixes because it could be that vulnerabilities come to light”.

This means CP needs a starter toolbox. A set of plugins like ClassicSEO, CF8, ClassicCommerce etc, covering the major use cases.

Just to kickstart the ecosystem and appear reliable to the people around.

And also this means that CP can monetize.

A CP service could be established where people can pay a fee to have a plugin forked and maintained with security fixes. Like a subscription.

This monetization could be organized as a referral program where devs and CP split the revenue.

…and this also highlights why the hard work CP community put into the directory and core plugins, and also on supporting community efforts to fork and develop for CP was so important. We haven’t had a major release or big movements. But we are laying a solid foundation for the whole project.

This has always been the case in WP. It is not new to CP. Another hole in the system is when a plugin is abandoned or removed from the WP repository. The user is not notified.
Do you have a solution for all three situations?

1 Like

I second @joyously about abandoned plugins…
One solution is make people enter a process to reassign it before abbandoning.
Also avoiding a million forks of the same exact one rebranded…

As @joyously noted regarding update notices, this isn’t a CP-specific issue – we inherited it along with the codebase.

Regarding notifying users about removed plugins… the problem is that there isn’t a good solution. While WP/CP could notify users when a plugin is removed, that would create an easier method for bad actors to find and exploit vulnerabilities. This shortcoming (and what to do about it) has been argued for years in the WP space without resolution; the fallback has been to quietly close the plugin.

Regarding abandoned plugins, there’s nothing we can do about that. Whether a developer keeps working on a project is completely up to them – there’s no possible enforcement mechanism to force someone to change ownership…or to even mention it has been abandoned. It’s up to the developer to do the right thing.

PS. Thanks @ozfiddler for the report on the exploit!

1 Like

Cpcompatibility shows a warning in plugin page when the latest version is not compatible. I can take a look at plugins removed from wp directory.
Some hint of the slug of a removed plugin?

1 Like

A change could be made in core in the update check. Right now, the version numbers are compared and nothing is said if you are on a lower version. That check could be removed or modified, so that you always see updates whether your site can use them or not.
But that won’t fix the plugins that are never updated (closed or abandoned). The WP API doesn’t indicate that state. Having a Last Modified date might be good, but I think that’s what the Tested Up To field is for.

1 Like

Couple of plugins worth considering:

WPScan scans your system to find security vulnerabilities listed in the WPScan WordPress Vulnerability Database.

Wordfence will also flag any plugins that have been abandoned or removed from the repo.

2 Likes

OK, but I’m sure WP aren’t too concerned about it. Their response would undoubtedly be: “It’s your own fault… you should always update to the latest version of WP”.

But one of our mantras is that if a plugin works with WP 4.9 then it works with CP. We are also supposed to be big on security.

I only mentioned one situation. Maybe we need to run a check on the “WordPress version” field to notify the user if it has moved to 5+? I have no idea if that is possible.