Thousands of WordPress sites under threat from dodgy plugins
POST SMTP had two flaws that could allow threat actors full WordPress website takeover
A popular WordPress plugin with more than 300,000 installs carried two high-severity vulnerabilities that could allow threat actors to completely take over the websites, experts have warned.
Cybersecurity researchers from Wordfence discovered the flaw in early December last year, and reported it to the developers.
As per the researchers, the vulnerable plugin is called POST SMTP, a tool that helps webmasters deliver emails to their visitors. It carried two major flaws - CVE-2023-6875, and CVE-2023-7027.
Hundreds of thousands of potential victims
The former is a critical authorization bypass vulnerability affecting all versions of the plugin up to 2.8.7. By abusing the flaw, a threat actor could reset API keys and thus gain access to sensitive log information, such as password reset emails. They can even abuse the vulnerability to install backdoors, modify plugins and themes, tamper with the site’s content, or redirect users elsewhere (for example, to a malicious phishing page, or to a site marred with advertising).
The latter is a cross-site scripting (XSS) vulnerability, also present in all versions up to 2.8.7. By abusing it, hackers can inject arbitrary scripts.
The flaw was first spotted in early December, with the patch being made available on January 1, 2024. Those using the POST SMTP tool should make sure the plugin is brought to version 2.8.8.
According to BleepingComputer, there are some 150,000 websites running POST SMTP versions older than 2.8. The other 150,000 are using a newer, but still vulnerable, version. Since the patch was released, some 100,000 new downloads have been made.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
POST SMTP is a free plugin, rated 4.8/5 on the WordPress plugin repository.
Generally speaking, WordPress as a website builder is considered safe. However, there are tens of thousands of free plugins carrying different vulnerabilities. Some of the plugins, despite being popular with the users, are no longer being supported by their developers, putting the users under great risk.
More from TechRadar Pro
- This top WordPress plugin has a major security flaw - and there's no fix yet
- Here's a list of the best firewalls around today
- These are the best remote desktop tools on offer for your business
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.