On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations.
This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails on WordPress sites that use this plugin.
We also received another submission shortly after for an Unauthenticated Stored Cross-Site Scripting vulnerability in POST SMTP Mailer plugin from another researcher.
Special props to Ulyses Saicha and Sean Murphy, who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting these vulnerabilities on January 3, 2024.
We urge users to update their sites with the latest patched version of POST SMTP Mailer, version 2.8.8 at the time of this writing, as soon as possible.
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'device' header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping.
Technical Analysis #1: Authorization Bypass via type connect-app API. The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery.
A mobile application can be connected to the plugin using a generated auth key.
Examining the code reveals that the plugin uses the connect app() function in the Post SMTP Mobile Rest API class to save the mobile application connection settings.
The plugin deletes the auth token in all cases.
Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would.
December 8, 2023 - We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.
In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin affecting versions 2.8.7 and earlier.
The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise.
The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.
Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of January 3, 2024.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
This Cyber News was published on www.wordfence.com. Publication date: Wed, 10 Jan 2024 16:28:04 +0000