The plugin does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them
Install the plugin and configure any mailer other than Default. Access the wp-admin area with a Subscriber+ user and monitor the traffic using your preferable tool. Look for var yaySmtpWpData = in the HTTP Response and you'll find all the leaked credentials.
Rafshanzani Suhada
Rafshanzani Suhada
Yes
2022-07-11 (about 6 months ago)
2022-07-11 (about 6 months ago)
2022-07-11 (about 6 months ago)