Over 300,000 WordPress sites vulnerable due to POST SMTP plugin
Take action: If you are using POST SMTP plugin for Wordpress, PATCH NOW. It's not difficult, and the risk far outweighs any arguments for delaying.
Learn More
A widely-used WordPress plugin, POST SMTP, with an install base of over 300,000 websites, was found to contain two high-severity vulnerabilities, posing a significant threat to these websites. POST SMTP is a free plugin, rated 4.8/5 on the WordPress plugin repository.
These vulnerabilities could potentially allow threat actors to gain complete control over the affected WordPress websites.
- CVE-2023-6875 (CVSS score 9.8), is an authorization bypass flaw present in versions up to 2.8.7, enabling attackers to access sensitive log information, reset API keys, install backdoors, alter site content, or redirect visitors.
- CVE-2023-7027 (CVSS score 7.2) is a cross-site scripting (XSS) vulnerability, also affects all versions up to 2.8.7 and allows the injection of arbitrary scripts.
A patch for these vulnerabilities was released on January 1, 2024, with the updated POST SMTP version being 2.8.8.
There are approximately 150,000 websites running POST SMTP versions older than 2.8. The other 150,000 are using a newer versions, but still mostly running vulnerable versions. Since the patch was released, some 100,000 new downloads have been made.
