A WordPress plugin used on over 300,000 web sites has been discovered to include vulnerabilities that would enable hackers to grab management.
Safety researchers at Wordfence discovered two crucial flaws within the POST SMTP Mailer plugin.
The primary flaw made it attainable for attackers to reset the plugin’s authentication API key and consider delicate logs (together with password reset emails) on the affected web site.
A malicious hacker exploiting the flaw might entry the important thing after triggering a password reset. The attacker might then log into the positioning, lock out the official person, and exploit their entry to trigger every kind of mayhem – together with publishing unauthorised content material, linking to malicious webpages, or planting backdoors.
The second flaw within the plugin allowed hackers to inject malicious scripts into webpages.
Wordfence’s researchers contacted the builders of the POST SMTP Mailer plugin concerning the first flaw on December 8 2023, and on the identical day offered proof-of-concept code which demonstrated the way it may very well be exploited.
Within the week earlier than Christmas, the researchers contacted the builders once more – this time concerning the second vulnerability.
To their credit score, the plugin’s builders labored over the Christmas and New 12 months break to repair the issues, publishing an replace (model 2.8.8 of POST SMTP Mailer plugin) on January 1, 2024, which addressed the safety points.
It will be good to assume that the issue ended there.
Nonetheless, as Bleeping Laptop notes, the plugin’s statistics present that solely 53% of installations are presently operating the most recent up to date model, which means roughly 150,000 websites stay weak.
It is over ten years since WordPress launched the flexibility to routinely replace plugins – however it stays an choice that must be enabled for every particular person plugin.
Should you run a WordPress-powered web site that makes use of the POST SMTP Mailer plugin, it is important that you just confirm your web site has been up to date to make use of the most recent patched model of the plugin (model 2.8.9 on the time of writing.)
Editor’s Observe: The opinions expressed on this visitor creator article are solely these of the contributor, and don’t essentially replicate these of Tripwire.
