Penka Hristovska
Published on: January 17, 2024

Security researchers have uncovered a pair of critical vulnerabilities in a popular WordPress plugin that could potentially allow hackers full control over affected websites. The vulnerabilities were found in the email delivery tool POST SMTP Mailer WordPress plugin, which has been installed on over 300,000 websites.

The vulnerabilities were detected by Sean Murphy and Ulysses Saicha, researchers from Wordfence, a leading cybersecurity firm. They explained the vulnerabilities could enable malicious actors to reset the mailer’s authentication API key and access logs, which might include password reset emails.

The most critical of the two identified vulnerabilities in the plugin is CVE-2023-6875, which is rated 9.8 on the CVSS scale and impacts all versions of the plugin up to 2.8.7.

More specifically, it’s an authorization bypass flaw caused by “type juggling” in the plugin’s connect-app REST endpoint. This vulnerability allows resetting the API key for authentication, which could lead to access to sensitive log data, including password reset emails. This essentially means that hackers could initiate a password reset for an administrator, locking them out of the website.

The other vulnerability, identified as CVE-2023-7027, is an XSS (Store Cross-Site Scripting) issue. It’s ranked lower on the CVSS score, at 7.2, but it’s still considered a high-severity issue. The researchers explained that it arises from “insufficient input sanitization and output escaping” in versions 2.8.7 and earlier, and allows potential attackers to embed harmful scripts into web pages, which are then executed when a user visits the compromised page.

With full administrator privileges, a hacker can gain complete control over the WordPress site and modify plugins and themes, edit, publish, and unpublish content, plant backdoors, and direct users to unsecure destinations.

The plugin’s vendor-issued security fixes in version 2.8.8 of the POST SMTP plugin, which was released on Jan. 1 this year. Unfortunately, almost 50% of the websites using the plugin are using a vulnerable version, according to reports. Plugin users are strongly encouraged to upgrade to the most recent version to protect their websites against potential attacks.