Description
WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently reset the API key used to authenticate to the mailer, and view logs, including password reset emails, allowing site takeover. WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark version 2.8.7 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.8.8 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:B66C4057-E3D5-4A92-A319-F3E36441270F
https://plugins.svn.wordpress.org/post-smtp/trunk/readme.txt
Related Vulnerabilities
Liferay Portal Excessive Iteration Vulnerability (CVE-2024-25144)
WordPress Plugin Payment Form for PayPal Pro SQL Injection (1.1.64)
MediaWiki Other Vulnerability (CVE-2013-4570)
WordPress Plugin Sermon Browser Cross-Site Scripting and SQL Injection Vulnerabilities (0.43)
WordPress Plugin XML Sitemap & Google News feeds Cross-Site Scripting (4.5)