Qualys Security Advisory
WordPress POST SMTP Mailer Plugin, a widely used email delivery tool, is vulnerable to two flaws that may allow a threat attacker to control a site’s authentication completely. Tracked as CVE-2023-6875 and CVE-2023-7027, the vulnerabilities have been given critical and high severity ratings, respectively.
Last Month, Ulyses Saicha and Sean Murphy discovered and reported these vulnerabilities through the Wordfence Bug Bounty Program.
The plugin helps deliver emails generated by a WordPress site. As per WordPress, the plugin has more than 300,000 active installations worldwide. The Plugin improves email deliverability by routing the emails through a reliable SMTP server. The features include email logging, authentication (OAuth), notification, configuration testing, and more.
CVE-2023-6875: Authorization Bypass via Type Connect-app API
The vulnerability arises from a type juggling flaw on the connect-app REST endpoint. This vulnerability allows an unauthenticated threat actor to reset the API key used to authenticate to the mailer and view logs, including password reset emails on WordPress sites that use this plugin. Successful exploitation of the vulnerability may allow an attacker to take over the site.
To enhance email delivery, the POST SMTP Mailer plugin replaces the built-in PHP mail function with an SMTP mailer in WordPress. A generated auth key can also help to link a mobile application to the plugin. The analysis reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.
The plugin deletes the auth token in all requests, making the auth nonce always empty after the request submission. An attacker can exploit this to set the FCM token in the subsequent request and provide a zero value for the auth key, which would be successfully validated as true.
Successful validation will allow an attacker to access and view all emails, including password reset emails of the connected application. Furthermore, an attacker can trigger a password reset for a site’s administrator user and then obtain the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.
Once an attacker has gained administrative user access to a WordPress site, they can upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages, which can be leveraged to redirect site users to other malicious sites.
CVE-2023-7027: Unauthenticated Stored Cross-Site Scripting via Device
The vulnerability originates from insufficient input sanitization and output escaping. On successful exploitation, an unauthenticated attacker may inject arbitrary web scripts in pages, which execute whenever an administrator opens the mobile application settings page.
In the same connect_app() function of the plugin, the mobile application connection settings include the device value. A sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function. An unauthenticated attacker can exploit this to inject arbitrary web scripts.
The vulnerabilities affect the POST SMTP versions before 2.8.8.
Customers are requested to upgrade to POST SMTP version 2.8.8 or later to mitigate this vulnerability.
For more information about the mitigation, please refer to WordPress Security Advisory.
Qualys customers can scan their devices with QID 731078 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.