CVE-2023-6875 Exploitation in POST SMTP Mailer Plugin

Published on

Jan 29, 2024

In-Depth Technical Overview:

The POST SMTP Mailer WordPress plugin, integral for email management, has been compromised due to two significant vulnerabilities. The first, an Authorization Bypass, allows attackers to access and modify sensitive email logs and settings without proper authentication. The second, an Unauthenticated Stored XSS, enables the injection of malicious scripts into web pages. These vulnerabilities can lead to unauthorized access and control over the website's email communication functions.‍

The exploit for CVE-2023-6875 is designed to take advantage of vulnerabilities in the POST SMTP Mailer WordPress plugin. It begins by confirming the plugin's vulnerability through a version check. Once the vulnerability is established, the script manipulates a token to initiate a password reset request for a specific user. It then cleverly accesses the plugin's email logs to retrieve the reset key sent to the user's email. With this key, the attacker can change the user's password, effectively gaining unauthorized control over the account. This process underscores the severe security risks posed by the vulnerabilities in the plugin.

Sphere's Exploitation Discovery:

Sphere's Threat Intelligence tool has uncovered sophisticated exploitation techniques used by attackers targeting the vulnerabilities in the POST SMTP Mailer WordPress plugin. These attackers have been found to employ intricate methods to intercept email communications. By leveraging the flaws, they could access and manipulate sensitive email logs, gaining unauthorized insights into user communications. This exploitation not only compromised the confidentiality of email content but also provided a means for attackers to potentially control user accounts and manipulate site content, posing a significant threat to WordPress site security.

Recognizing Exploitation Signs:

‍Key signs include unauthorized API key changes, unusual access to the email logs, and suspicious patterns in wp-json and wp-admin requests. These are indicative of both data exfiltration and unauthorized control attempts.

Protective Measures:

‍Urgent updating to version 2.8.8 of the plugin is essential. Furthermore, implementing stringent input validation, regular security audits, and using advanced security monitoring tools like Sphere are recommended to prevent future exploits. Also a PoC for the exploitation exists since 27 January 2024.

‍

Other Articles

News

Ransomware Attack Hits Barcelona Hospital Clinic

Barcelona Hospital Clinic was hit by a ransomware attack on Sunday morning, which disrupted healthcare services after the hackers targeted the institution’s virtual machines.

Cybersecurity Awareness

Maximize SIEM System Benefits: Parsing, Normalizing and Enrichment Tools

Using a parser, normalizer, and enrichment tool can be a valuable way to improve the efficiency and effectiveness of a Security Information and Event Management (SIEM) system.

Cybersecurity Awareness

The Value of Ongoing Security Monitoring and Maintenance from an MSSP

Here is an example of how a Managed Security Service Provider (MSSP) might apply its services to a business.

Cybersecurity Awareness

What is exactly a cybersecurity solution?

Another significant cybersecurity incident making headlines this year in Albania: A cyberattack launched by a hacker group based in Iran exploited the massive Albanian electronic services, central intelligence and the police department.