Vulnerable Plugin Leaves Over 150,000 WordPress Websites Exposed to Takeovers

Researchers discovered two new vulnerabilities affecting a popular WordPress plugin that could let attackers take over impacted websites completely.

The flaws affect the POST SMTP Mailer WordPress plugin, a widely used email delivery tool installed on some 300,000 websites.

According to Wordfence security researchers Sean Murphy and Ulysses Saicha, who made the discovery, the shortcoming could let threat actors reset the mailer’s authentication API key and view logs, including password reset emails on affected websites.

Critical Authorization Bypass Flaw

The first vulnerability, tracked as CVE-2023-6875, is an authorization bypass flaw stemming from a “type juggling” issue on the connect-app RISE endpoint, affecting versions 2.8.7 and earlier. The flaw is flagged as critical, with a CVSS score of 9.8.

“This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover,” reads Wordfence’s security advisory.

Cross-Site Scripting (XSS) Vulnerability

The other flaw, tracked as CVE-2023-7027, is a cross-site scripting (XSS) vulnerability with a lower CVSS score, at 7.2, but still flagged as a high-severity issue. The vulnerable plugin’s “device” header is exposed to this flaw due to “insufficient input sanitization and output escaping” in versions 2.8.7 and earlier.

“This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page,” according to Wordfence.

Gaining full administrative privileges on vulnerable websites could spell disaster for webmasters. Threat actors could further leverage their position by modifying plugins, injecting malware in the websites’ codes, opening backdoors, diverting traffic to malicious destinations, and finding ways to achieve persistence.

Vendor Notified, Patched Version Released

Wordfence notified the plugin’s vendor about the vulnerabilities on Dec. 8, and Dec. 19. In response, the vendor pushed security fixes in version 2.8.8 of the POST SMTP plugin, released on Jan. 1, 2024.

Unfortunately, reports show that almost half of the websites using the plugin are running a vulnerable version, lower than 2.8. Users of the plugin are advised to update immediately to the latest version to protect their websites from attacks exploiting these vulnerabilities.