MalCare Protects Against Critical PHP Object Injection Vulnerability in FluentSMTP

On November 22nd, 2024, a critical vulnerability was discovered in the FluentSMTP plugin. This vulnerability affects all versions of the plugin including v2.2.82. It allows attackers to insert harmful code into your site. If they exploit it, they could delete files, access data, or execute code without your permission.

If you are using this plugin, we recommend updating the plugin to the patched version immediately. Additionally, scan your site to identify any potential issues and address them promptly.

What is the vulnerability?

If your site is one of the 300,000+ sites using the FluentSMTP plugin, it’s important to note a critical issue. All versions of this plugin including v2.2.82 have a critical PHP object injection vulnerability.

This flaw lets attackers sneak harmful code into your website by using fields like to, headers, attachments, response, and extra without needing to log in. On its own, the vulnerable plugin doesn’t have the specific sequence of code (called a POP chain) that would allow an attacker to do more damage. 

However, if a POP chain exists in another plugin or theme on your site, it could let attackers delete files, access sensitive data, or run commands they shouldn’t be able to.

Should you be worried?

Yes, this is a serious concern. The vulnerability in the FluentSMTP plugin is critical, with a CVSS score of 9.8, indicating a significant threat. To protect your site from potential exploitation, it is essential to update the plugin to v2.2.83 without delay.

What should you do next?

To keep your site secure, it’s important to act immediately. Here’s what you should do:

What if your site is already compromised?

If you suspect that your site has unfortunately fallen into the grasp of this vulnerability, it’s vital to take immediate action. Here’s what you should do:

Technical details of the vulnerabilities

Issue

The FluentSMTP plugin contains a vulnerability called PHP Object Injection in its formatResult function. This flaw allows attackers to inject harmful PHP Objects into the system. 

While the plugin itself does not have a direct exploit path, like a POP chain, it becomes a significant security risk if such a chain is present in other plugins or themes on the site. If that happens, attackers could potentially delete files, access sensitive information, or execute unauthorized code, all without needing to log in.

Root cause

The root of this vulnerability lies in the plugin’s failure to adequately validate and sanitize incoming data before processing it in the formatResult function. This affects fields like to, headers, attachments, response, and extra, allowing attackers to inject malicious PHP objects. 

The lack of data checks means the function processes potentially harmful content, creating the risk of security breaches if there are compatible exploit paths in other site components.

Timeline

How MalCare protects your site

If you are a MalCare user, your site is protected against the PHP Object Injection vulnerability in the FluentSMTP plugin. MalCare’s advanced Atomic Security firewall is engineered to defend your site from such threats, all without any manual intervention. Here’s how:

How to keep your site secure

Keeping your WordPress site secure is important to protect it from risks and weaknesses. Here are easy steps to strengthen your site’s safety:

1. Get a security plugin: Choose a dependable security plugin such as MalCare to strengthen your defenses. These tools provide features like malware detection, firewall safeguards, and activity tracking to secure your site.
2. Schedule backups: Regularly back up your website’s database and files. This practice allows you to restore your site quickly in case any issues arise.
3. Keep everything updated: Continuously update your WordPress core, themes, and plugins. Developers release updates to fix security issues, so apply these updates promptly.
4. Use strong passwords: Implement complex and unique passwords for all site-related accounts like database, FTP, and admin. A password manager can help you generate and store these securely.
5. Enable two-factor authentication: Adding two-factor authentication provides an additional layer of security, requiring a second verification step, like a code sent to your phone, making unauthorized access more difficult.
6. Monitor your site’s activity: Keep a close watch on you r site’s activity and logs to spot unusual actions promptly. This vigilance can help you address potential threats before they escalate.