A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.
Security researchers at Wordfence found two critical flaws in the POST SMTP Mailer plugin.
The first flaw made it possible for attackers to reset the plugin's authentication API key and view sensitive logs (including password reset emails) on the affected website.
A malicious hacker exploiting the flaw could access the key after triggering a password reset. The attacker could then log into the site, lock out the legitimate user, and exploit their access to cause all kinds of mayhem - including publishing unauthorised content, linking to malicious webpages, or planting backdoors.
The second flaw in the plugin allowed hackers to inject malicious scripts into webpages.
Wordfence's researchers contacted the developers of the POST SMTP Mailer plugin about the first flaw on December 8 2023, and on the same day provided proof-of-concept code which demonstrated how it could be exploited.
publishing an update (version 2.8.8 of POST SMTP Mailer plugin) on January 1, 2024, which addressed the security issues.
Solution: If you run a WordPress-powered website that uses the POST SMTP Mailer plugin, it's essential that you verify your site has been updated to use the latest patched version of the plugin (version 2.8.9 at the time of writing.)