Heads up for all POST SMTP Mailer WordPress plugin users!
Security researchers Ulysses Saicha and Sean Murphy have recently unearthed two critical vulnerabilities in the widely-used email delivery plugin POST SMTP Mailer. Identified and labeled as CVE-2023-6875 and CVE-2023-7027, these vulnerabilities were flagged under the Wordfence Bug Bounty Program, receiving critical and high severity ratings in that order.
The grim news is, if left unaddressed, these security flaws might allow attackers to gain full control over your website’s authentication process. We strongly advise all users of this plugin to update their sites with the latest patched version of POST SMTP Mailer, version 2.8.8, as soon as possible at the time of this writing.
About the POST SMTP Mailer Plugin
According to WordPress, the POST SMTP Mailer plugin is an essential component for over 300,000 active websites across the globe. This powerful next-generation plugin not only enhances the deliverability of emails dispatched from a WordPress site but also ensures that they are routed through a trustworthy SMTP server. With features like email logging, OAuth authentication, notifications, configuration testing, and more, POST SMTP Mailer is a great addition for any website owner looking to optimize their email communication.
Getting to Know the Culprits: Understanding CVE-2023-6875 and CVE-2023-7027 Vulnerabilities
The two vulnerabilities in the POST SMTP plugin have been identified and tracked as CVE-2023-6875 and CVE-2023-7027. As a business with a strong focus on security and stability, it is imperative that we address these issues. Therefore, let’s delve deeper into them to determine the best course of action.
The first vulnerability tracked as CVE-2023-6875, is a critical authorization bypass flaw resulting from a “type juggling” issue on the connect-app REST endpoint. This flaw affects all versions of the plugin up to version 2.8.7. An attacker can exploit this vulnerability to reset the API key and gain access to sensitive log information, including password reset emails. By manipulating a function related to the mobile app, the attacker can set a valid token with a zero value for the authentication key, triggering a password reset for the site’s admin. Quite unnerving, isn’t it?
The second culprit, CVE-2023-7027, is a cross-site scripting (XSS) loophole within the coding of POST SMTP that can allow an intruder to bypass security checkpoints.
The vulnerability stems from insufficient input sanitization and output escaping. If successfully exploited, an unauthorized attacker can inject arbitrary web scripts into pages, which execute whenever an administrator opens the mobile application settings page.
The Potential Risks: How These Vulnerabilities Can Jeopardize Your Website
If you’re using the POST SMTP Mailer plugin, immediately updating to the latest patched version (2.8.8) is important. Failure to do so could expose your WordPress site to unauthorized access, potential compromise, and malicious activities.
Preventing Disaster: Steps to Protect Your Website from the POST SMTP Mailer Plugin Vulnerabilities
At Servebolt, we provide two proactive managed services, namely Accelerated Domains and Servebolt CDN, that can enhance the security of your website. These services are built on top of Cloudflare’s Enterprise offering, and we offer two free domains to all customers who sign up with us.
To ensure the security of our customers’ websites, we use a combination of server-based security products and Cloudflare’s WAF. We also employ additional security measures to minimize hack attempts and prevent direct access to the server. These measures are configured to automatically block potentially harmful requests without requiring any configuration or maintenance.
Due to the severity of the issue, we have immediately put protections in place, listed in the CVE proof of concept, for Accelerated Domains and Servebolt CDN. We did that for all clients using both services, just to be on the safe side.
It is recommended that customers upgrade to POST SMTP version 2.8.8 or later to address this vulnerability.
Your Website’s First Line of Defense: The Importance of Regular Plugin Updates
Imagine you are working hard to update your website’s content when suddenly it is compromised by spiteful hackers who exploit the loopholes in your system. To prevent this horror movie scenario from occurring, you can use a simple yet effective defense strategy called periodic plugin updates. Regular updates plug the security gaps and provide added layers of security to various aspects of your site.
For instance, an up-to-date POST SMTP Mailer WordPress plugin can shield you from vulnerabilities such as CVE-2023-6875 and CVE-2023-7027 discovered by these researchers. The question is, how can you ensure you do not miss these essential plugin updates?
WordPress offers built-in auto-update functionality and dozens of plugins allowing users to update all or selected plugins automatically. However, automatic updates should be approached with caution. Sometimes, we may face compatibility issues with theme and plugin new versions, which may cause certain features to malfunction or even lead to the website crashing. If the website relies on a considerable number of plugins, it would be better to update them, at least for plugins manually. Doing so one by one enables us to identify issues that automation could make it difficult to spot immediately. It is always essential to have an effective backup and retrieval plan when using automatic updates. Additionally, performing regular website maintenance tasks such as updates, backups, security audits, and performance tuning is crucial.
The security of your website is only as strong as its weakest link. Regular plugin updates, coupled with proactive security measures, help strengthen each link in your security chain. While there is no universal solution to website security, keeping your plugins up-to-date is a simple and essential first line of defense.
Conclusion
In conclusion, the recent discovery of two critical vulnerabilities in the POST SMTP Mailer WordPress plugin serves as a timely reminder of the importance of website security. It’s crucial to update your website’s plugins regularly to ensure that you’re protected against any potential security threats, including those identified in this case. By staying vigilant and taking proactive measures to secure your site, you can safeguard your online presence and protect your visitors’ data. Remember, prevention is always better than cure.