Description
WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark is prone to a server-side request forgery vulnerability. An attacker may leverage this issue to make the vulnerable server perform port scanning of hosts in internal or external networks; other attacks are also possible. WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark version 2.1.6 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 2.1.7 or latest
References
https://sploitus.com/exploit?id=WPEX-ID:DC99AC40-646A-4F8E-B2B9-DC55D6D4C55C
https://plugins.svn.wordpress.org/post-smtp/trunk/readme.txt
Related Vulnerabilities
WordPress Plugin Gutenberg & Elementor Templates Importer For Responsive Security Bypass (2.2.5)
WordPress Plugin Nokia Maps & Places Cross-Site Scripting (1.6.6)
WordPress Plugin Infusionsoft Gravity Forms Add-on Arbitrary File Upload (1.5.10)
WordPress 4.9.x Directory Traversal (4.9 - 4.9.25)
WordPress Plugin Download Manager PHAR Deserialization (3.2.49)