The POST SMTP Mailer WordPress plugin, a widely employedemail delivery tool with a user base of 300,000 websites, faces twovulnerabilities that could enable attackers to gain full control over siteauthentication.
The initial vulnerability, identified as CVE-2023-6875, is a severe authorization bypass flaw resulting from a "type juggling" problem on the connect-app REST endpoint. This issue affects all versions of the plugin up to 2.8.7.
Exploitation of this vulnerability by an unauthorized user allows for the resetting of the API key and accessing sensitive log data, including information from password reset emails.
More specifically, the attacker can manipulate a function related to the mobile app, utilising a request to set a valid token with a zero value for the authentication key.
The vulnerable code, which manages the API request, becomes the point of compromise. Subsequently, the attacker initiates a password reset for the site's administrator and retrieves the key from within the application. By altering it, the legitimate user is effectively locked out of their account.
With administrator privileges acquired through this method, the attacker gains complete access, enabling them to introduce backdoors, modify plugins and themes, edit and publish content, or redirect users to malicious destinations.
The second vulnerability, identified as CVE-2023-7027, is a cross-site scripting (XSS) issue resulting from inadequate input sanitization and output escaping. This flaw affects versions of POST SMPT up to 2.8.7, providing attackers with the capability to inject arbitrary scripts into the web pages of the affected site.
Wordfence notified the vendor about the critical flaw on December 8, 2023, and subsequently, after submitting the report, they presented a proof-of-concept (PoC) exploit on December 15. The XSS problem was reported on December 19, 2023, with a PoC shared the following day.
The plugin's developer released version 2.8.8 of POST SMPT on January 1, 2024, incorporating security updates to address both identified issues.
According to statistics gathered from wordpress.org, approximately 150,000 sites utilise a version of the plugin that is susceptible and falls below 2.8. Meanwhile, among the remaining half employing version 2.8 and above, a considerable number may still be at risk. This estimation considers the platform's report of around 100,000 downloads since the patch was released.
Our recommendations
If you are using the POST SMPT WordPress plugin, it is strongly recommended to take the following actions:
Update Immediately:
Ensure that you promptly update the plugin to the latest version, specifically version 2.8.8, which contains crucial security fixes addressing the identified vulnerabilities. Regularly check for updates and apply them as soon as they become available to protect your site from potential exploitation.
Security Audit:
Conduct a comprehensive security audit of your website to identify and address any potential compromises or unauthorised access that may have occurred before the update. Look for any suspicious activities or changes in the site's configuration.
Monitor User Accounts:
Keep a close eye on user accounts, especially administrator accounts, for any unauthorised access or suspicious activities. If any irregularities are detected, take immediate action to secure the affected accounts, including password resets and account reviews.
Backup Your Website:
Before performing any updates or security measures, ensure you have a recent backup of your website. This ensures that in case anything goes wrong during the update or subsequent security measures, you can restore your site to a known, secure state.
By following these recommendations, you can significantly enhance the security of your WordPress site and reduce the risk of potential exploits associated with the identified vulnerabilities in the POST SMPT plugin.
