WordPress Plugin Vulnerabilities

POST SMTP Mailer < 2.7.1 - Unauthenticated Cross-site Scripting

Description

The plugin does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.

Proof of Concept

1. Install Post SMTP in version <= 2.7.0 and configure it.
2. Send email using any contact form which uses 'wp_mail' function. Include the following payload in the message:

<img src=x onerror=alert(document.domain)>

3. Visit /wp-admin/admin.php?page=postman_email_log (Post SMTP -> Email Log)
4. Click 'View' next to the first record.
5. The message is shown and JavaScript code is executed.

Affects Plugins

Plugin icon
post-smtp
Fixed in 2.7.1

References

CVE
CVE-2023-5958

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Marcin Węgłowski (AFINE Team)
Submitter
Marcin Węgłowski (AFINE Team)
Submitter website
https://afine.com
Submitter twitter
afinePL/
Verified
Yes
WPVDB ID
22fa478d-e42e-488d-9b4b-a8720dec7cee

Timeline

Publicly Published
2023-11-06 (about 1 months ago)
Added
2023-11-06 (about 1 months ago)
Last Updated
2023-11-06 (about 1 months ago)

Other

Published
Title
Published
2018-03-15
Title
Duplicator <= 1.2.32 - Cross-Site Scripting (XSS)
Published
2022-05-31
Title
Germanized for WooCommerce < 3.9.5 - Reflected Cross-Site Scripting
Published
2022-11-28
Title
Photo Gallery < 1.8.3 - Stored XSS via CSRF
Published
2022-12-02
Title
ImageInject <= 1.17 - Admin+ Stored XSS
Published
2023-04-01
Title
Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting