Critical flaw found in WordPress plugin used on over 300,000 websites

A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.

Security researchers at Wordfence found two critical flaws in the POST SMTP Mailer plugin.

The first flaw made it possible for attackers to reset the plugin’s authentication API key and view sensitive logs (including password reset emails) on the affected website.

A malicious hacker exploiting the flaw could access the key after triggering a password reset. The attacker could then log into the site, lock out the legitimate user, and exploit their access to cause all kinds of mayhem – including publishing unauthorised content, linking to malicious webpages, or planting backdoors.

The second flaw in the plugin allowed hackers to inject malicious scripts into webpages.

Wordfence’s researchers contacted the developers of the POST SMTP Mailer plugin about the first flaw on December 8 2023, and on the same day provided proof-of-concept code which demonstrated how it could be exploited.

In the week before Christmas, the researchers contacted the developers again – this time about the second vulnerability.

To their credit, the plugin’s developers worked over the Christmas and New Year break to fix the flaws, publishing an update (version 2.8.8 of POST SMTP Mailer plugin) on January 1, 2024, which addressed the security issues.

It would be nice to think that the problem ended there.

However, as Bleeping Computer notes, the plugin’s statistics show that only 53% of installations are currently running the latest updated version, meaning approximately 150,000 sites remain vulnerable.

It’s over ten years since WordPress introduced the ability to automatically update plugins – but it remains an option that has to be enabled for each individual plugin.

If you run a WordPress-powered website that uses the POST SMTP Mailer plugin, it’s essential that you verify your site has been updated to use the latest patched version of the plugin (version 2.8.9 at the time of writing.)

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts