WordPress Plugin Vulnerabilities

POST SMTP Mailer < 2.7.1 - Unauthenticated Cross-site Scripting

Description

The plugin does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.

Proof of Concept

1. Install Post SMTP in version <= 2.7.0 and configure it.
2. Send email using any contact form which uses 'wp_mail' function. Include the following payload in the message:

<img src=x onerror=alert(document.domain)>

3. Visit /wp-admin/admin.php?page=postman_email_log (Post SMTP -> Email Log)
4. Click 'View' next to the first record.
5. The message is shown and JavaScript code is executed.

Affects Plugins

Plugin icon
post-smtp
Fixed in 2.7.1

References

CVE
CVE-2023-5958

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Marcin Węgłowski (AFINE Team)
Submitter
Marcin Węgłowski (AFINE Team)
Submitter website
https://afine.com
Submitter twitter
afinePL/
Verified
Yes
WPVDB ID
22fa478d-e42e-488d-9b4b-a8720dec7cee

Timeline

Publicly Published
2023-11-06 (about 6 months ago)
Added
2023-11-06 (about 6 months ago)
Last Updated
2023-11-06 (about 6 months ago)

Other

Published
Title
Published
2023-01-19
Title
Easy PayPal Buy Now Button < 1.7.4 - Contributor+ Stored XSS in Shortcode
Published
2024-04-09
Title
Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features
Published
2014-08-01
Title
Blaze - Unspecified XSS
Published
2024-02-02
Title
Structured Content < 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Classic Editor Shortcode
Published
2023-08-14
Title
Article Directory Redux <= 1.0.2 - Admin+ Stored XSS