cbcvebase.
CVE-2023-6875
published 2024-01-11

CVE-2023-6875: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.34%
99.8th percentile
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover. CVE-2023-52233 appears to be a duplicate of this issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpexpertspost_smtp<= 2.8.7

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/post-smtp/v1/connect-app
url/wp-json/post-smtp/v1/get-log
path/wp-content/plugins/post-smtp
otherAuth-Key: 0
yara
contains_all(body_2, "success\":true,", "{\"fcm_token\":\"") AND contains_all(body_3, "true,\"data\":", "access_token=")
  • Look for unauthenticated POST requests to /wp-json/post-smtp/v1/connect-app with the HTTP header 'Auth-Key: 0' — this is the type juggling bypass where a zero value is used to authenticate.
  • Follow-up GET to /wp-json/post-smtp/v1/get-log with Auth-Key: 0 after the connect-app call indicates log exfiltration (including password reset emails) as part of the account takeover chain.
  • Successful exploitation response to /wp-json/post-smtp/v1/connect-app contains both 'success":true,' and the submitted fcm_token value; the log endpoint response contains 'true,"data":' and 'access_token='.
  • The vulnerable REST endpoint is implemented in Postman/Mobile/includes/rest-api/v1/rest-api.php at line 60; monitor file-integrity or WAF rules targeting this path.
  • Sites running POST SMTP Mailer versions up to and including 2.8.7 are vulnerable; version 2.8.8 contains the fix. Detect vulnerable installs via the presence of /wp-content/plugins/post-smtp in page HTML.
  • A Metasploit auxiliary module exists for this CVE (modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb); monitor for its characteristic two-stage request pattern: connect-app (API key reset) followed by get-log (password reset email harvest).
  • ·The type juggling bypass only works because the Auth-Key header value '0' is loosely compared against the stored API key. Sites that have never configured a POST SMTP API key (null/empty state) may behave differently.
  • ·CVE-2023-52233 is a duplicate of this issue; do not double-count detections or patch tracking for both CVEs.
  • ·The Nuclei template uses randomised Device and Fcm-Token header values per request; signature-based detection must match on the static Auth-Key: 0 header rather than those dynamic values.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.