Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin

On December 14th, 2023, during the Wordfence Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails on WordPress sites that use this plugin. We also received another submission shortly after for an Unauthenticated Stored Cross-Site Scripting vulnerability in POST SMTP Mailer plugin from another researcher. This vulnerability enables threat actors to inject malicious web scripts into pages.

Special props to Ulyses Saicha and Sean Murphy, who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. These researchers respectively earned bounties of $4,125 and $825 for their discoveries during our Bug Bounty Program Extravaganza.

All sites using the any version of Wordfence received the full protection on February 2, 2024.

Wordfence contacted WPExperts.io on December 8, 2023 for a separate vulnerability, and received a response on December 10, 2023. After providing full disclosure details, the developer released a patch on January 1, 2024. We would like to commend the WPExperts.io team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of POST SMTP Mailer, version 2.8.8 at the time of this writing, as soon as possible.

Source: https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin

Posted in Vulnerability.