“Never Assume Anything” – Unauthenticated Stored Cross-Site Scripting Vulnerability Exposed in 14 Email Logging Plugins

“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers. When it comes to WordPress plugin security, assumptions can be dangerous. This became evident when the Wordfence Threat Intelligence team discovered an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 14 different email logging plugins. The common thread? An assumption that the contents of emails generated within a WordPress instance could not be influenced by external actors. This oversight potentially exposed over 600,000 users to significant security risks.

We contacted all affected vendors after initial discovery between June 4, 2023 and June 11, 2023. Some developers were responsive while others were not, however all plugins except for one received updates to address these vulnerabilities.

All WordFence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Affected Plugins

Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.

Plugin NamePlugin SlugCVEReported DateDisclosed DateFixed Version
WP Mail Catcherwp-mail-catcherCVE-2023-3080June 4, 2023June 8, 20231.11.1
WP Mail Loggingwp-mail-loggingCVE-2023-3081June 1, 2023June 7, 20231.11.1
Post SMTPpost-smtpCVE-2023-3082June 1, 2023July 10, 20232.5.8
WP Mail Logwp-mail-logCVE-2023-3088June 1, 2023July 4, 20231.1.2
FluentSMTPfluent-smtpCVE-2023-3087June 2, 2023July 5, 20232.2.5
SMTP Mailsmtp-mailCVE-2023-3092June 2, 2023July 4, 2023Plugin closed. Awaiting fixed release.
YaySMTPyaysmtpCVE-2023-3093June 2, 2023June 11, 20232.4.6
GD Mail Queuegd-mail-queueCVE-2023-3122June 5, 2023June 8, 20234.0
Mailtree Log Mailmailtree-log-mailCVE-2023-3135June 5, 2023June 19, 20231.0.1
MailArchivermailarchiverCVE-2023-3136June 5, 2023July 11, 20232.11.0
Mail Controlmail-controlCVE-2023-3158June 6, 2023July 9, 2023Plugin closed. No fix.
Lana Email Loggerlana-email-loggerCVE-2023-3166June 6, 2023June 7, 20231.1.0
Mail Queuemail-queueCVE-2023-3167June 6, 2023June 21, 20231.2
WP Reroute Emailwp-reroute-emailCVE-2023-3168June 7, 2023July 4, 20231.5.0

Source and more details: https://www.wordfence.com/blog/2023/07/never-assume-anything-unauthenticated-stored-cross-site-scripting-vulnerability-exposed-in-14-email-logging-plugins/

Posted in Vulnerability.