Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin
On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails on WordPress sites that use this plugin. We also received another submission shortly after for an Unauthenticated Stored Cross-Site Scripting vulnerability in POST SMTP Mailer plugin from another researcher. This vulnerability enables threat actors to inject malicious web scripts into pages.
Special props to Ulyses Saicha and Sean Murphy, who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. These researchers respectively earned bounties of $4,125 and $825 for their discoveries during our Bug Bounty Program Extravaganza.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting these vulnerabilities on January 3, 2024. Sites still using the free version of Wordfence will receive the same protection on February 2, 2024.
We contacted WPExperts.io on December 8, 2023 for a separate vulnerability, and received a response on December 10, 2023. After providing full disclosure details, the developer released a patch on January 1, 2024. We would like to commend the WPExperts.io team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of POST SMTP Mailer, version 2.8.8 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Affected Versions: <= 2.8.7
CVE ID: CVE-2023-6875
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Ulyses Saicha
Fully Patched Version: 2.8.8
Bounty Awarded: $4,125.00
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress
Plugin Slug: post-smtp
Affected Versions: <= 2.8.7
CVE ID: CVE-2023-7027
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Sean Murphy
Fully Patched Version: 2.8.8
Bounty Awarded: $825.00
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Technical Analysis #1: Authorization Bypass via type connect-app API
The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.
public function connect_app( WP_REST_Request $request ) {
$nonce = get_transient( 'post_smtp_auth_nonce' );
$auth_key = $request->get_header( 'auth_key' );
$fcm_token = $request->get_header( 'fcm_token' );
$device = $request->get_header( 'device' );
$server_url = $request->get_header( 'server_url' );
if( $auth_key == $nonce ) {
$data = array(
$fcm_token => array(
'auth_key' => $auth_key,
'fcm_token' => $fcm_token,
'device' => $device,
'enable_notification' => 1
)
);
update_option( 'post_smtp_mobile_app_connection', $data );
update_option( 'post_smtp_server_url', $server_url );
wp_send_json_success(
array(
'fcm_token' => $fcm_token
),
200
);
}
delete_transient( 'post_smtp_auth_nonce' );
wp_send_json_error(
array(
'error' => 'Refresh QR Code page, and scan again.'
),
200
);
}
Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true.
With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.
Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device
In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function.
foreach( $this->app_connected as $device ) {
$url = admin_url( "admin.php?action=post_smtp_disconnect_app&auth_token={$device['fcm_token']}&ps_disconnect_app_nonce={$nonce}" );
$checked = $device['enable_notification'] == 1 ? 'checked="checked"' : '';
echo "{$device['device']} <a href='{$url}' style='color: red'>Disconnect</a>";
echo '<br />';
echo sprintf(
'<label for="enable-app-notice">%s <input type="checkbox" id="enable-app-notice" name="postman_app_connection[%s]" %s /></label>',
__( 'Send failed email notification' ),
$device['fcm_token'],
$checked
);
}
The output of listing devices in the section() function
This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution.
Wordfence Firewall
The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability.
Disclosure Timeline
December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.
December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.
December 15, 2023 – We validate the report and confirm the proof-of-concept exploit.
December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.
December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS.
January 1, 2024 – The fully patched version, 2.8.8, is released.
January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
February 2, 2024 – Wordfence Free users receive the same protection.
Conclusion
In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.
Wordfence users running Wordfence Premium, Wordfence Care, and Wordfence Response have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
Comments
11:01 am
It appears that there is an issue with the first block of embedded code in this article, because after that the formatting is wrong and most of the paragraphs are getting cut off.
8:17 am
Hi Eric, thanks for letting us know! We've fixed the article now.