CVE-2023-6875

Name of the Vulnerable Software and Affected Versions POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress versions up to, and including, 2.8.7

Description The issue is related to a type juggling problem on the connect-app REST endpoint, allowing unauthenticated attackers to reset the API key and view logs, including password reset emails, which can lead to site takeover. The vulnerability is associated with weaknesses in the authorization procedure, enabling remote attackers to gain unauthorized access to protected information. With over 300,000 active installations, this vulnerability poses a significant risk.

Recommendations For versions up to, and including, 2.8.7, update to a version higher than 2.8.7 to resolve the issue. As a temporary workaround, consider restricting access to the connect-app REST endpoint until a patch is available. Additionally, restrict access to the API key used to authenticate to the mailer to minimize the risk of exploitation. Avoid using the API key in the affected endpoint until the issue is resolved.