Two critical vulnerabilities in the widely-used POST SMTP Mailer WordPress plugin, impacting around 300,000 websites, pose a serious security risk. Discovered by Wordfence security researchers Ulysses Saicha and Sean Murphy, the first flaw (CVE-2023-6875) allows unauthenticated attackers to reset the API key, gaining access to sensitive log information, including password reset emails. The second vulnerability (CVE-2023-7027) is a cross-site scripting issue that enables attackers to inject arbitrary scripts into affected site pages. Wordfence reported the critical flaw on December 8, 2023, and the vendor released version 2.8.8 on January 1, 2024, containing fixes for both vulnerabilities.
The first vulnerability arises from an authorization bypass flaw, allowing attackers to manipulate the authentication key and compromise site authentication. By exploiting a function related to the mobile app, an attacker can set a valid token with a zero value for the authentication key, triggering a password reset for the site’s admin. This manipulation enables the attacker to access and change the key from within the application, locking the legitimate user out of the account. With administrator privileges, the attacker gains full access to the site, enabling the planting of backdoors, modification of plugins and themes, and redirection of users to malicious destinations.
The second vulnerability, a cross-site scripting (XSS) flaw, results from insufficient input sanitization and output escaping in POST SMTP Mailer. Attackers can inject arbitrary scripts into web pages, potentially leading to various malicious activities. Wordfence notified the vendor about the critical flaw on December 8, 2023, followed by a proof-of-concept (PoC) exploit on December 15. The vendor released version 2.8.8 on January 1, 2024, addressing both vulnerabilities. Despite the patch, roughly 150,000 sites still run versions lower than 2.8, while thousands of others with version 2.8 and higher may remain vulnerable, emphasizing the importance of prompt updates for site owners.
