what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress POST SMTP Mailer 2.8.7 Authorization Bypass / Cross Site Scripting

WordPress POST SMTP Mailer 2.8.7 Authorization Bypass / Cross Site Scripting
Posted Jan 11, 2024
Authored by Ulyses Saicha, Sean Murphy | Site wordfence.com

WordPress POST SMTP Mailer plugin versions 2.8.7 and below suffer from authorization bypass and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, bypass
advisories | CVE-2023-6875, CVE-2023-7027
SHA-256 | 1bdd84a69d04f6ca05b840e49215c74a3095a9b4cd20f08c7cd6c500f98bc02f

WordPress POST SMTP Mailer 2.8.7 Authorization Bypass / Cross Site Scripting

Change Mirror Download
Vulnerability Summary from Wordfence Intelligence

Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API

Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Plugin Slug: post-smtp

Affected Versions: <= 2.8.7

CVE ID: CVE-2023-6875

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Ulyses Saicha

Fully Patched Version: 2.8.8

Bounty Awarded: $4,125.00

The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.

Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device

Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Plugin Slug: post-smtp

Affected Versions: <= 2.8.7

CVE ID: CVE-2023-7027

CVSS Score: 7.2 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Sean Murphy

Fully Patched Version: 2.8.8

Bounty Awarded: $825.00

The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis #1: Authorization Bypass via type connect-app API

The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.

[View this code snippet on the blog]

Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true.

With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.

Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device

In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function.

[View this code snippet on the blog]

This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution.

Wordfence Firewall

The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability.

post-smtp-mailer-authorization-bypass-howto-wordfence-firewall

Disclosure Timeline

December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.

December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.

December 15, 2023 – We validate the report and confirm the proof-of-concept exploit.

December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.

December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS.

January 1, 2024 – The fully patched version, 2.8.8, is released.

January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

February 2, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.

Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close