Attackers have been actively exploiting serious vulnerabilities in two widely used WordPress plugins to compromise websites that run the extensions on top of the content management system.
The two affected plugins are Easy WP SMTP with 300,000 active installations and Social Warfare, which has about 70,000 active installations. While developers have released patches for both exploited flaws, download figures indicate many vulnerable websites have yet to install the fixes. Figures for Easy WP SMTP, which was fixed five days ago, show the plugin has just short of 135,000 downloads in the past seven days. Figures for Social Warfare show it has been downloaded fewer than 20,000 times since a patch was published on WordPress on Friday. Sites that use either plugin should disable them immediately and then ensure they have been updated to version 126.96.36.199 of Easy WP SMTP and 3.5.3 of Social Warfare.
Attacks exploiting Easy WP SMTP were first reported by security firm NinTechNet on Sunday, the same day a patch became available. On Wednesday, a different security firm, Defiant, also reported the vulnerability was under active exploit despite the availability of the patch. The exploits allow attackers to create rogue administrative accounts on vulnerable websites.