Authorization bypassing and cross-site scripting compromise data privacy.
Two serious vulnerabilities were discovered in the popular POST SMTP plugin for WordPress, which is used on more than 300,000 websites. These flaws can allow attackers to gain full control over the target site.
Researchers at Wordfence identified these issues last month and reported them to the plugin's developers. We'll look at each vulnerability in more detail below.
CVE-2023-6875. The first vulnerability is a critical authorization bypass error. It occurs due to a "Type Juggling" issue on the REST connect-app endpoint and affects all versions of the POST SMTP plugin up to 2.8.7. An unauthenticated attacker can use this flaw to reset the API key and access confidential information, including password reset emails.
An attacker can also use a function associated with the mobile app to set a valid token with a null value for the authentication key through a request. Then the attacker can initiate a password reset for the site administrator and gain access to the key through the application, change it and block access to the legitimate user.
After gaining administrator rights, a hacker can fully control the site, set bookmarks, modify plugins and themes, edit and publish content, or redirect users to malicious resources.
CVE-2023-7027. The second vulnerability is a cross-site scripting (XSS) issue that occurs due to insufficient input cleaning and output escaping. It affects POST SMTP up to version 2.8.7 and can allow attackers to inject arbitrary scripts on the target site's web pages.
Wordfence first contacted the plugin developers on December 8, 2023. Shortly after sending the report, they developed a PoC exploit, which was published on December 20. Already on January 1 of this year, POST SMTP developers released version 2.8.8, which includes fixes for both vulnerabilities.
According to statistics from the site wordpress.org, about 150,000 sites currently use vulnerable versions of the plugin.
Two serious vulnerabilities were discovered in the popular POST SMTP plugin for WordPress, which is used on more than 300,000 websites. These flaws can allow attackers to gain full control over the target site.
Researchers at Wordfence identified these issues last month and reported them to the plugin's developers. We'll look at each vulnerability in more detail below.
CVE-2023-6875. The first vulnerability is a critical authorization bypass error. It occurs due to a "Type Juggling" issue on the REST connect-app endpoint and affects all versions of the POST SMTP plugin up to 2.8.7. An unauthenticated attacker can use this flaw to reset the API key and access confidential information, including password reset emails.
An attacker can also use a function associated with the mobile app to set a valid token with a null value for the authentication key through a request. Then the attacker can initiate a password reset for the site administrator and gain access to the key through the application, change it and block access to the legitimate user.
After gaining administrator rights, a hacker can fully control the site, set bookmarks, modify plugins and themes, edit and publish content, or redirect users to malicious resources.
CVE-2023-7027. The second vulnerability is a cross-site scripting (XSS) issue that occurs due to insufficient input cleaning and output escaping. It affects POST SMTP up to version 2.8.7 and can allow attackers to inject arbitrary scripts on the target site's web pages.
Wordfence first contacted the plugin developers on December 8, 2023. Shortly after sending the report, they developed a PoC exploit, which was published on December 20. Already on January 1 of this year, POST SMTP developers released version 2.8.8, which includes fixes for both vulnerabilities.
According to statistics from the site wordpress.org, about 150,000 sites currently use vulnerable versions of the plugin.
