The best Mailer SMTP Plugin for WordPress, POST SMTP Mailer plugin, which has 300,000+ active installations fixed critical security vulnerabilities that led to the complete takeover of the WordPress site.
WordPress security company Wordfence recently disclosed two critical security vulnerabilities, an authorization bypass and a stored cross-site scripting issue, in the POST SMTP Mailer WordPress plugin, which were reported through Wordfence's bug bounty program and have been patched in the latest version of the plugin.
1. Authorization Bypass Enables Site Takeover
The more severe of the two flaws is an authorization bypass vulnerability, tracked as CVE-2023-6875 with a CVSS score of 9.8, that stems from a type juggling issue in the connect-app API endpoint. This API is used to connect a mobile app to the plugin using an authentication key.
Due to the type juggling, an unauthenticated attacker can send requests with a blank auth key that validates as true. This allows them to connect to a malicious app and gain access to view email logs, including sensitive password reset emails.
With access to password reset emails, an attacker can trigger a reset for an admin account, obtain the reset link, reset the password, and gain admin access to the site. This full site takeover is possible on any WordPress site using a vulnerable version of the plugin.
The researcher has also dropped a POC on GitHub for the vulnerability.
2. Stored XSS Vulnerability Allows Code Injection
The second flaw tracked as CVE-2023-7027 with a CVSS score of 7.2, is an unauthenticated stored cross-site scripting vulnerability that exists due to insufficient input sanitization. An attacker can exploit this to inject arbitrary JavaScript or HTML code into pages through the 'device' header when connecting a mobile app.
The injected scripts will execute whenever an admin views the mobile app settings page. This could allow for a range of impacts from session hijacking to malware downloads.
These issues were responsibly reported by researchers Ulyses Saicha and Sean Murphy through Wordfence's bug bounty program. For their efforts, Saicha earned a bounty of $4,125 for the authorization bypass and Murphy received $825 for the stored XSS discovery.
Vendor Patch Released January 1st
Upon receiving the reports in mid-December, Wordfence notified the developer WPExperts.io and provided full details. The vendor worked promptly to address the issues, releasing POST SMTP Mailer version 2.8.8 with fixes on January 1st.
Site administrators using the plugin, update to version 2.8.8 as soon as possible to mitigate any threat from these vulnerabilities.
For Wordfence users, firewall rules blocking any exploitation attempts were deployed on January 3rd for Premium, Care, and Response users. The free version of Wordfence will also receive the same protection on February 2nd.
The type of juggling vulnerabilities in POST SMTP Mailer serves as an important reminder for sites to stay on top of plugin updates, especially when critical flaws are found. While the vendor has provided a fix, site owners must still take action to update.