A popular WordPress plugin with more than 300,000 installs contained two high-severity vulnerabilities that could allow threat actors to completely take over its websites, experts warn.
Cybersecurity researchers at Wordfence discovered the flaw in early December last year and reported it to the developers.
According to the researchers, the vulnerable plugin is called POST SMTP, a tool that allows webmasters to deliver emails to their visitors. It contained two major flaws: CVE-2023-6875 and CVE-2023-7027.
Hundreds of thousands of potential victims
The first is a critical authorization bypass vulnerability that affects all versions of the plugin up to and including 2.8.7. By exploiting the flaw, a threat actor could reset API keys and gain access to sensitive log information such as password reset emails. They can even exploit the vulnerability to install backdoors, customize plugins and themes, tamper with site content, or redirect users elsewhere (for example, to a malicious phishing page or to a site that is being defaced by advertisements).
The latter is a cross-site scripting (XSS) vulnerability, also present in all versions up to and including 2.8.7. By exploiting it, hackers can inject arbitrary scripts.
The bug was first noticed in early December, when the patch became available on January 1, 2024. Those using the POST SMTP tool should make sure to update the plugin to version 2.8.8.
According to BleepingComputer, there are approximately 150,000 websites using POST SMTP versions older than 2.8. The remaining 150,000 use a newer, but still vulnerable version. Since the release of the patch, approximately 100,000 new downloads have been made.
POST SMTP is a free plugin, rated 4.8/5 in the WordPress plugin repository.
In general, WordPress is considered safe as a website builder. However, there are tens of thousands of free plugins that contain various vulnerabilities. Some plugins, despite being popular with users, are no longer supported by their developers, putting users at high risk.