Thousands of WordPress sites under threat from dodgy plugins

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

A popular WordPress plugin with more than 300,000 installs carried two high-severity vulnerabilities that could allow threat actors to completely take over the websites, experts have warned.

Cybersecurity researchers from Wordfence discovered the flaw in early December last year, and reported it to the developers.

As per the researchers, the vulnerable plugin is called POST SMTP, a tool that helps webmasters deliver emails to their visitors. It carried two major flaws - CVE-2023-6875, and CVE-2023-7027.

Hundreds of thousands of potential victims

The former is a critical authorization bypass vulnerability affecting all versions of the plugin up to 2.8.7. By abusing the flaw, a threat actor could reset API keys and thus gain access to sensitive log information, such as password reset emails. They can even abuse the vulnerability to install backdoors, modify plugins and themes, tamper with the site’s content, or redirect users elsewhere (for example, to a malicious phishing page, or to a site marred with advertising). 

The latter is a cross-site scripting (XSS) vulnerability, also present in all versions up to 2.8.7. By abusing it, hackers can inject arbitrary scripts.

The flaw was first spotted in early December, with the patch being made available on January 1, 2024. Those using the POST SMTP tool should make sure the plugin is brought to version 2.8.8.

According to BleepingComputer, there are some 150,000 websites running POST SMTP versions older than 2.8. The other 150,000 are using a newer, but still vulnerable, version. Since the patch was released, some 100,000 new downloads have been made. 

POST SMTP is a free plugin, rated 4.8/5 on the WordPress plugin repository. 

Generally speaking, WordPress as a website builder is considered safe. However, there are tens of thousands of free plugins carrying different vulnerabilities. Some of the plugins, despite being popular with the users, are no longer being supported by their developers, putting the users under great risk.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.