The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
References
Configurations
History
21 Nov 2024, 08:44
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/176525/WordPress-POST-SMTP-Mailer-2.8.7-Authorization-Bypass-Cross-Site-Scripting.html - Third Party Advisory, VDB Entry | |
References | () https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1&old=3012318&old_path=%2Fpost-smtp%2Ftrunk - Product | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cve - Third Party Advisory |
18 Jan 2024, 16:11
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-11 09:15
Updated : 2024-11-21 08:44
NVD link : CVE-2023-6875
Mitre link : CVE-2023-6875
CVE.ORG link : CVE-2023-6875
JSON object : View
Products Affected
wpexperts
- post_smtp_mailer
CWE
CWE-862
Missing Authorization