A popular WordPress plugin with more than 300,000 installations had two high-severity vulnerabilities that could allow threat actors to completely take over websites, experts warned.
Cybersecurity researchers at Wordfence discovered the flaw in early December last year and reported it to developers.
According to researchers, the vulnerable plugin is called POST SMTP, a tool that helps webmasters send emails to their visitors. It had two major flaws: CVE-2023-6875 and CVE-2023-7027.
Hundreds of thousands of potential victims
The first is a critical authorization bypass vulnerability that affects all versions of the plugin up to 2.8.7. By abusing the flaw, a threat actor could reset API keys and thus gain access to sensitive registration information, such as password reset emails. They can even abuse the vulnerability to install backdoors, modify plugins and themes, alter site content, or redirect users elsewhere (for example, to a malicious phishing page or an ad-ridden site).
The latter is a cross-site scripting (XSS) vulnerability, also present in all versions up to 2.8.7. By abusing it, hackers can inject arbitrary scripts.
The flaw was first detected in early December and the patch was made available on January 1, 2024. Those using the SMTP POST tool should ensure that the plugin is available in version 2.8.8.
According beepcomputer, there are about 150,000 websites running SMTP POST versions earlier than 2.8. The other 150,000 are using a newer, but still vulnerable version. Since the patch was released, there have been about 100,000 new downloads.
POST SMTP is a free plugin, rated 4.8/5 in the WordPress plugin repository.
Generally speaking, WordPress as a website builder is considered safe. However, there are tens of thousands of free plugins that have different vulnerabilities. Some of the plugins, despite being popular among users, are no longer supported by their developers, putting users at great risk.
