A WordPress plugin used by more than 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.
Security researchers at Wordfence have discovered two critical flaws in the POST SMTP mailer plug-in.
The first flaw allows an attacker to reset the plugin’s authentication API key and view sensitive logs on the affected website (including password reset emails).
A malicious hacker who exploited this vulnerability could gain access to the key after triggering a password reset. An attacker can then log into the site, target legitimate users, and use their access to cause a variety of damage, including publishing unauthorized content, linking to malicious pages, or planting backdoors.
A second flaw in the plugin allowed hackers to inject malicious scripts into web pages.
Wordfence researchers contacted the developers of the POST SMTP Mailer plug-in about the first flaw on December 8, 2023, and provided proof-of-concept code on the same day demonstrating how to exploit the vulnerability.
A week before Christmas, the researchers contacted the developers again—this time about a second vulnerability.
To their credit, the plugin’s developers worked to fix these flaws over the Christmas and New Year holidays and released an update (version 2.8.8 of the POST SMTP Mailer plugin) on January 1, 2024 that addressed the security issues question.
It would be nice if the problem ended there.
However, as Computer beeps Note that the plugin’s statistics show that only 53% of installations are currently running the latest updated version, meaning approximately 150,000 websites are still vulnerable.
It’s been over a decade since WordPress introduced the ability to automatically update plugins – but it’s still an option that must be enabled for each individual plugin.
If you use a WordPress site that uses the POST SMTP mailer plugin, you must verify that your site has been updated to use the latest patched version of the plugin (version 2.8.9 at the time of this writing).
Editor’s note: The opinions expressed in this guest author article are those of the contributor and do not necessarily reflect the views of Tripwire.
