MalCare Protects Against Critical PHP Object Injection Vulnerability in FluentSMTP

by

Shivani M

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Protect Site for Free

On November 22nd, 2024, a critical vulnerability was discovered in the FluentSMTP plugin. This vulnerability affects all versions of the plugin including v2.2.82. It allows attackers to insert harmful code into your site. If they exploit it, they could delete files, access data, or execute code without your permission.

If you are using this plugin, we recommend updating the plugin to the patched version immediately. Additionally, scan your site to identify any potential issues and address them promptly.

What is the vulnerability?

FluentSMTP plugin
FluentSMTP plugin

If your site is one of the 300,000+ sites using the FluentSMTP plugin, it’s important to note a critical issue. All versions of this plugin including v2.2.82 have a critical PHP object injection vulnerability.

This flaw lets attackers sneak harmful code into your website by using fields like to, headers, attachments, response, and extra without needing to log in. On its own, the vulnerable plugin doesn’t have the specific sequence of code (called a POP chain) that would allow an attacker to do more damage. 

However, if a POP chain exists in another plugin or theme on your site, it could let attackers delete files, access sensitive data, or run commands they shouldn’t be able to.

Should you be worried?

Yes, this is a serious concern. The vulnerability in the FluentSMTP plugin is critical, with a CVSS score of 9.8, indicating a significant threat. To protect your site from potential exploitation, it is essential to update the plugin to v2.2.83 without delay.

CVSS score

What should you do next?

To keep your site secure, it’s important to act immediately. Here’s what you should do:

  • Update the FluentSMTP plugin: The most crucial step is to update the FluentSMTP plugin to v2.2.83. This update includes a complete patch that addresses the vulnerability and enhances your site’s security
  • Monitor activity logs: Use an activity log to watch for any unusual activities. This can help you swiftly detect and address any attempts to exploit the vulnerability, ensuring your site stays secure.
MalCare activity log
MalCare activity log

What if your site is already compromised?

If you suspect that your site has unfortunately fallen into the grasp of this vulnerability, it’s vital to take immediate action. Here’s what you should do:

  • Do a full security check: Use a robust security plugin to scan your website. This will find any bad code or changes that shouldn’t be there.
  • Change all passwords: Right away, update passwords for your website, including admin, database, and FTP accounts. Make sure they are strong and different from each other.
  • Update everything: Make sure all your plugins, themes, and WordPress are up to date, and consider adding an extra layer of security like a two-factor login and a strong firewall.

Technical details of the vulnerabilities

Issue

The FluentSMTP plugin contains a vulnerability called PHP Object Injection in its formatResult function. This flaw allows attackers to inject harmful PHP Objects into the system. 

While the plugin itself does not have a direct exploit path, like a POP chain, it becomes a significant security risk if such a chain is present in other plugins or themes on the site. If that happens, attackers could potentially delete files, access sensitive information, or execute unauthorized code, all without needing to log in.

Root cause

The root of this vulnerability lies in the plugin’s failure to adequately validate and sanitize incoming data before processing it in the formatResult function. This affects fields like to, headers, attachments, response, and extra, allowing attackers to inject malicious PHP objects. 

The lack of data checks means the function processes potentially harmful content, creating the risk of security breaches if there are compatible exploit paths in other site components.

Vulnerable code
Vulnerable code

Timeline

  • On November 21st, 2024, Leo, a WordPress vulnerability researcher, discovered the PHP Object Injection vulnerability in the FluentSMTP plugin and submitted it to the Wordfence bug bounty program.
  • On November 21st, 2024, Wordfence contacted the plugin developers and provided full disclosure details regarding the vulnerability.
  • On November 22nd, 2024, the developers released a partially patched version, v2.2.82, of the FluentSMTP plugin to address the issue.
  • Later on November 22nd, 2024, a fully patched version, v2.2.83, was released, providing a complete security patch for the plugin.

How MalCare protects your site

If you are a MalCare user, your site is protected against the PHP Object Injection vulnerability in the FluentSMTP plugin. MalCare’s advanced Atomic Security firewall is engineered to defend your site from such threats, all without any manual intervention. Here’s how:

  • MalCare detects and prevents malicious PHP objects by identifying and blocking attempts to inject them into your site, stopping potential exploitation in its tracks.
  • MalCare scans for vulnerabilities by performing ongoing scans to identify weaknesses in your WordPress setup, thereby preventing attackers from exploiting them.

How to keep your site secure

Keeping your WordPress site secure is important to protect it from risks and weaknesses. Here are easy steps to strengthen your site’s safety:

  1. Get a security plugin: Choose a dependable security plugin such as MalCare to strengthen your defenses. These tools provide features like malware detection, firewall safeguards, and activity tracking to secure your site.
  2. Schedule backups: Regularly back up your website’s database and files. This practice allows you to restore your site quickly in case any issues arise.
  3. Keep everything updated: Continuously update your WordPress core, themes, and plugins. Developers release updates to fix security issues, so apply these updates promptly.
  4. Use strong passwords: Implement complex and unique passwords for all site-related accounts like database, FTP, and admin. A password manager can help you generate and store these securely.
  5. Enable two-factor authentication: Adding two-factor authentication provides an additional layer of security, requiring a second verification step, like a code sent to your phone, making unauthorized access more difficult.
  6. Monitor your site’s activity: Keep a close watch on you r site’s activity and logs to spot unusual actions promptly. This vigilance can help you address potential threats before they escalate.

Category:

Shivani M

Shivani enjoys crafting guides that make every aspect of using WordPress simple and easy to follow. When she’s not glued to her laptop, you can find her buried in a good book or occasionally, painting.

Share it:

You may also like

Feature Image for WordPress emails going to spam
How To Fix The WordPress Emails Going To Spam 

I was testing passwordless login on my WordPress site and discovered. I logged out and requested a magic link. The email never came. Refreshed my inbox. Still nothing. Waited a…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Clean your Site
Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.

Protect your Site