We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Vulnerable Plugin Puts 150K WordPress Sites at Takeover Risk

Vulnerable Plugin Puts 150K WordPress Sites at Takeover Risk
Zane Kennedy Published on 14th January 2024 Cybersecurity Researcher

Researchers have uncovered critical vulnerabilities in the POST SMTP Mailer WordPress plugin, which potentially puts over 150,000 websites at risk of takeover by malicious actors. The vulnerabilities were first reported by cybersecurity researchers Ulyses Saicha and Sean Murphy as part of Wordfence's Bug Bounty Program Holiday Bug Extravaganza.

The POST SMTP Mailer plugin boasts over 300,000 active installations and is primarily used for email delivery on WordPress sites. The more severe of its two vulnerabilities, CVE-2023-6875, is an Authorization Bypass issue caused by a "type juggling" problem in the plugin's connect-app REST endpoint. This critical flaw, which bears a CVSS score of 9.8, affects all plugin versions up to and including 2.8.7.

Exploiting this vulnerability, unauthenticated attackers can reset the API key used for authentication, allowing them to view sensitive log information, including password reset emails. This could enable attackers to trigger a password reset for an administrator account, seize email control through the compromised API key, and gain full administrative access to the WordPress site.

The second vulnerability, tracked as CVE-2023-7027, is a Stored Cross-Site Scripting (XSS) issue stemming from inadequate input sanitization and output escaping. With a CVSS score of 7.2, this vulnerability also affects all plugin versions up to and including 2.8.7. By exploiting this flaw, attackers can inject malicious scripts into web pages, which could execute whenever a user accesses the affected page.

Wordfence, upon discovering these vulnerabilities, promptly contacted the plugin's developer, WPExperts.io. A commendable response led to the release of a patched version, 2.8.8, on January 1, 2024.

Website administrators are urged to update their POST SMTP Mailer plugin to the latest version to ensure the security of their sites and accounts. This incident highlights the importance of responsible vulnerability disclosure and the effective collaboration between cybersecurity researchers and developers in safeguarding the digital ecosystem.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.