The Easy WP SMTP plugin authors have released a new update, fixing a very critical 0day vulnerability. When leveraged, this vulnerability gives unauthenticated attackers the power to modify any options of an affected site — ultimately leading to a complete site compromise.
The vulnerability, found only in version 1.3.9, has been seen exploited in the wild and impacts thousands of sites.
The bug being exploited takes advantage of a misunderstanding of the admin_init hook’s execution context.
Source: Scuri check