ALERT: Update WordPress plugin for critical vulnerability

Monday, March 25, 2019

This information was sent to U-M IT staff groups via email on March 25, 2019. It is intended for WordPress administrators who are responsible for university websites that use the WordPress Easy WP SMTP plugin.


A vulnerability has been discovered in the WordPress Easy WP SMTP Plugin that could allow for remote code execution. WordPress is an open source content management system for websites. Easy WP SMTP allows WordPress sites to route outgoing emails via an SMTP server.


Version 1.3.9 of the Easy WP SMTP plugin is vulnerable to a security flaw that could allow attackers to set up ordinary subscriber accounts with hidden admin powers or hijack sites to serve malicious redirects. Successful exploitation of this vulnerability could allow for remote code execution with elevated privileges.


The vulnerability is being actively exploited in the wild. Attackers have been using it to establish administrative control of affected sites since at least March 15.

Affected Versions

WordPress Easy WP SMTP Plugin version 1.3.9

Action Items

  1. Change your WordPress and SMTP passwords.
  2. Apply the update to version as soon as possible after appropriate testing.

According to Naked Security by Sophos, "If you think your site might have been targeted, the recommended action is to first reinstate it from a pre-hack backup before applying the update and changing those passwords." See instructions from WordPress at Vulnerability in plugin version 1.3.9 (WordPress).

Technical Details

See Critical zero-day vulnerability fixed in WordPress Easy WP SMTP plugin (NinTechNet, 3/17/19) for technical details and proof of concept.

How We Protect U-M

  • This communication is being sent to IT staff across the university.
  • Information Assurance (IA) works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.