A WordPress plugin used on over 300,000 web sites has been discovered to include vulnerabilities that would enable hackers to grab management.
Safety researchers at Wordfence discovered two crucial flaws within the POST SMTP Mailer plugin.
The primary flaw made it doable for attackers to reset the plugin’s authentication API key and think about delicate logs (together with password reset emails) on the affected web site.
A malicious hacker exploiting the flaw may entry the important thing after triggering a password reset. The attacker may then log into the location, lock out the professional consumer, and exploit their entry to trigger every kind of mayhem – together with publishing unauthorised content material, linking to malicious webpages, or planting backdoors.
The second flaw within the plugin allowed hackers to inject malicious scripts into webpages.
Wordfence’s researchers contacted the builders of the POST SMTP Mailer plugin in regards to the first flaw on December 8 2023, and on the identical day supplied proof-of-concept code which demonstrated the way it could possibly be exploited.
Within the week earlier than Christmas, the researchers contacted the builders once more – this time in regards to the second vulnerability.
To their credit score, the plugin’s builders labored over the Christmas and New Yr break to repair the failings, publishing an replace (model 2.8.8 of POST SMTP Mailer plugin) on January 1, 2024, which addressed the safety points.
It might be good to assume that the issue ended there.
Nevertheless, as Bleeping Pc notes, the plugin’s statistics present that solely 53% of installations are at the moment operating the most recent up to date model, which means roughly 150,000 websites stay susceptible.
It is over ten years since WordPress launched the flexibility to routinely replace plugins – but it surely stays an choice that needs to be enabled for every particular person plugin.
For those who run a WordPress-powered web site that makes use of the POST SMTP Mailer plugin, it is important that you simply confirm your web site has been up to date to make use of the most recent patched model of the plugin (model 2.8.9 on the time of writing.)
Editor’s Observe: The opinions expressed on this visitor writer article are solely these of the contributor, and don’t essentially mirror these of Tripwire.
