Vulnerability Summary from Wordfence Intelligence
Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API
Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Affected Versions: <= 2.8.7
CVE ID: CVE-2023-6875
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ulyses Saicha
Fully Patched Version: 2.8.8
Bounty Awarded: $4,125.00
The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device
Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Affected Versions: <= 2.8.7
CVE ID: CVE-2023-7027
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Sean Murphy
Fully Patched Version: 2.8.8
Bounty Awarded: $825.00
The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Technical Analysis #1: Authorization Bypass via type connect-app API
The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.
[View this code snippet on the blog]
Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true.
With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.
Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device
In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function.
[View this code snippet on the blog]
This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution.
Wordfence Firewall
The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability.
post-smtp-mailer-authorization-bypass-howto-wordfence-firewall
Disclosure Timeline
December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.
December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.
December 15, 2023 – We validate the report and confirm the proof-of-concept exploit.
December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.
December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS.
January 1, 2024 – The fully patched version, 2.8.8, is released.
January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
February 2, 2024 – Wordfence Free users receive the same protection.
Conclusion
In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.
Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.