Description
WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently reset the API key used to authenticate to the mailer, and view logs, including password reset emails, allowing site takeover. WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark version 2.8.7 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.8.8 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:B66C4057-E3D5-4A92-A319-F3E36441270F
https://plugins.svn.wordpress.org/post-smtp/trunk/readme.txt
Related Vulnerabilities
Joomla Insufficient Verification of Data Authenticity Vulnerability (CVE-2020-15699)
MySQL CVE-2014-6555 Vulnerability (CVE-2014-6555)
WordPress Plugin BP Group Documents Multiple Vulnerabilities (1.2.1)
Oracle Database Server CVE-2014-6455 Vulnerability (CVE-2014-6455)
WordPress Plugin Snow Monkey Forms Directory Traversal (5.1.1)