Must update Post SMTP to the latest version for better security!
You are using the Post SMTP plugin, so you can send WordPress emails securely and reliably. Is that right?
To make it even more secure, we strongly recommend you update your Post SMTP plugin to the latest version as soon as possible.
Why? Because we’ve discovered two critical vulnerabilities and fixed them in the latest version of Post SMTP, which prevents you from exposing your website and users to hackers.
Vulnerabilities Found During Wordfence Bug Bounty Program
Wordfence is a leading WordPress security plugin that protects over 4 million websites from malware, brute force attacks, and other threats.
Wordfence also runs a bug bounty program, where security researchers can report vulnerabilities in WordPress plugins and themes and get rewarded for their findings.
On December 14, 2023, during the Wordfence Bug Bounty Program Holiday Bug Extravaganza, two security researchers, Sean Murphy and Ulysses Saicha, reported two vulnerabilities in Post SMTP.
The vulnerabilities were as follows:
Vulnerability #1: Authorization Bypass via type connect-app API
This vulnerability allows an unauthenticated attacker to reset the API key that is required to authenticate to the mailer and view logs, including password reset emails. This means that a malicious person can take over the website by resetting the admin password and logging in as the admin.
Because on Post SMTP’s connect-app REST endpoint, there was a type of juggling issue that prevented the user’s input from being validated. By sending a specially crafted request to the endpoint, an attacker could bypass the authorization check and gain access to mailer settings and logs.
Vulnerability #2: Unauthorized Stored Cross-Site Scripting via Device
Post SMTP’s connect_app() function, which connects the plugin with a mobile application, did not escape and sanitize the device value input.
Due to this vulnerability, an unauthenticated attacker could store a malicious script in the device value, and the script would run whenever someone, such as the admin or other users, viewed the logs.
Don’t Worry! We’ve Fixed this with Security Patch Release V 2.8.8
On January 1, 2024, we released Post SMTp Version 2.8.8, which fixes the vulnerabilities by adding proper validation and sanitization to the connect-app REST endpoint and the device value input.
Additionally, on January 3, 2024, Wordfence released a firewall rule to protect its premium users from any exploits targeting these vulnerabilities, and later, on February 2, 2024, Wordfence released the same protection for its free users as well.
Action Required From Your Side: Update Post SMTP NOW!!!
To benefit from these security enhancements and avoid any potential attacks, we urge you to immediately update your Post SMTP plugin.
To do so, follow the steps below:
- Log in to your WordPress dashboard
- Navigate to Plugins → Installed Plugins.
- Find Post SMTP in the list of plugins
- Then, click on Update Now.
Alternatively, you can download the latest version of Post SMTP from the WordPress plugin repository and install it manually on your website.
NOTE: To prevent these issues in the future, we recommend you enable the auto-update feature for Post SMTP, which you can find in the same window from where you’ve updated Post SMTP in your WordPress dashboard.
Final Note – Your Website Security Is Our Top Priority
For us, your website security is more than a checkbox. We collaborated with Wordfence to address these vulnerabilities promptly, ensuring that you can confidently leverage the power of Post SMTP to improve your WordPress email deliverability.
We also want to thank Wordfence and the security researchers who discovered and reported these vulnerabilities for their valuable contribution to the WordPress community.
If you have any questions or need assistance with the update process, don’t hesitate to reach out to the Post SMTP support team. Your peace of mind is our goal.
Lastly, don’t forget to upgrade the Post SMTP plugin to the latest version.
Stay proactive, stay secure!
