Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import

Description

The changelog for easy-wp-smtp detailed that they "fixed potential vulnerability in import\export settings." in 1.3.9.1 of the plugin (SVN changeset 2052058). This was released on 17th March 2019.

It appears that an unauthenticated user can import arbitrary wp_options by providing a PHP serialized array in $_POST['swpsmtp_import_settings']. This can be used to permit new user registrations and default their permissions to 'administrator'.

The vulnerability and fixes are detailed in the plugin SVN changelog: https://plugins.trac.wordpress.org/changeset?old_path=%2Feasy-wp-smtp&old=2052057&new_path=%2Feasy-wp-smtp&new=2052058&sfp_email=&sfph_mail=

This appears to be being exploited in the wild at this time.

It is noted that the changelog of the plugin does not explain the severity of the vulnerability and refers to it merely as "potential".