Description
WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently reset the API key used to authenticate to the mailer, and view logs, including password reset emails, allowing site takeover. WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark version 2.8.7 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.8.8 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:B66C4057-E3D5-4A92-A319-F3E36441270F
https://plugins.svn.wordpress.org/post-smtp/trunk/readme.txt
Related Vulnerabilities
MySQL CVE-2020-2904 Vulnerability (CVE-2020-2904)
WordPress Plugin Pinterest Badge Cross-Site Scripting (1.9.0)
WordPress Plugin Fathom Analytics Cross-Site Scripting (3.0.4)
WordPress Plugin Ad Blocker Notify Lite Cross-Site Scripting (2.4.0)
WordPress Plugin Translate Multilingual sites-TranslatePress Cross-Site Scripting (2.0.8)