YaySMTP < 2.2.1 – Subscriber+ SMTP Credentials Leak | CVE 2022-2370 | Plugin Vulnerabilities

Description

The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them

Proof of Concept

Install the plugin and configure any mailer other than Default.

Access the wp-admin area with a Subscriber+ user and monitor the traffic using your preferable tool.

Look for var yaySmtpWpData = in the HTTP Response and you'll find all the leaked credentials.

Affects Plugins

Fixed in 2.2.1

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Submitter

Rafshanzani Suhada

Verified

Yes

WPVDB ID

bedda2a9-6c52-478e-b17a-7a4488419334

Timeline

Publicly Published

2022-07-11 (about 3 years ago)

Added

2022-07-11 (about 3 years ago)

Last Updated

2023-04-14 (about 2 years ago)

Other

Published

Title

Published

2024-03-11

Title

Mollie Forms < 2.6.4 - Missing Authorization to Arbitrary Post Duplication

Published

2024-11-12

Title

Styler for Ninja Forms <= 3.3.4 - Authenticated (Subscriber+) Arbitrary Option Deletion via deactivate_license

Published

2025-03-25

Title

Ultimate Dashboard < 3.8.8 - Missing Authorization to Authenticated (Subscriber+) Plugin Modules Activation/Deactivation

Published

2022-01-24

Title

Coming soon and Maintenance mode < 3.6.7 - Subscriber+ Arbitrary Email Sending to Subscribed Users

Published

2024-05-20

Title

Crafthemes Demo Import <= 3.3 - Missing Authorization to Arbitrary Plugin Installation