CVE-2023-6875
published 2024-01-11CVE-2023-6875: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
90.34%
99.8th percentile
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover. CVE-2023-52233 appears to be a duplicate of this issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpexperts | post_smtp | <= 2.8.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
contains_all(body_2, "success\":true,", "{\"fcm_token\":\"") AND contains_all(body_3, "true,\"data\":", "access_token=")- →Look for unauthenticated POST requests to /wp-json/post-smtp/v1/connect-app with the HTTP header 'Auth-Key: 0' — this is the type juggling bypass where a zero value is used to authenticate. ↗
- →Follow-up GET to /wp-json/post-smtp/v1/get-log with Auth-Key: 0 after the connect-app call indicates log exfiltration (including password reset emails) as part of the account takeover chain. ↗
- →Successful exploitation response to /wp-json/post-smtp/v1/connect-app contains both 'success":true,' and the submitted fcm_token value; the log endpoint response contains 'true,"data":' and 'access_token='. ↗
- →The vulnerable REST endpoint is implemented in Postman/Mobile/includes/rest-api/v1/rest-api.php at line 60; monitor file-integrity or WAF rules targeting this path. ↗
- →Sites running POST SMTP Mailer versions up to and including 2.8.7 are vulnerable; version 2.8.8 contains the fix. Detect vulnerable installs via the presence of /wp-content/plugins/post-smtp in page HTML. ↗
- →A Metasploit auxiliary module exists for this CVE (modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb); monitor for its characteristic two-stage request pattern: connect-app (API key reset) followed by get-log (password reset email harvest). ↗
- ·The type juggling bypass only works because the Auth-Key header value '0' is loosely compared against the stored API key. Sites that have never configured a POST SMTP API key (null/empty state) may behave differently. ↗
- ·CVE-2023-52233 is a duplicate of this issue; do not double-count detections or patch tracking for both CVEs. ↗
- ·The Nuclei template uses randomised Device and Fcm-Token header values per request; signature-based detection must match on the static Auth-Key: 0 header rather than those dynamic values. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
POST SMTP Mailer Plugin up to 2.8.7 on WordPress authorization (ID 176525)
vuldb·2026-04-11·CVSS 9.8
CVE-2023-6875 [CRITICAL] POST SMTP Mailer Plugin up to 2.8.7 on WordPress authorization (ID 176525)
A vulnerability, which was classified as critical, was found in POST SMTP Mailer Plugin up to 2.8.7 on WordPress. This vulnerability affects unknown code. The manipulation results in authorization bypass.
This vulnerability was named CVE-2023-6875. The attack may be performed from remote. There is no available exploit.
GHSA
GHSA-9cw8-p5p2-35pf: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized a
ghsa_unreviewed·2024-01-11
CVE-2023-6875 [CRITICAL] CWE-639 GHSA-9cw8-p5p2-35pf: The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized a
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
VulnCheck
wpexperts post_smtp Authorization Bypass Through User-Controlled Key
vulncheck·2023·CVSS 8.6
CVE-2023-6875 [HIGH] wpexperts post_smtp Authorization Bypass Through User-Controlled Key
wpexperts post_smtp Authorization Bypass Through User-Controlled Key
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover. CVE-2023-52233 appears to be a duplicate of this issue.
Affected: wpexperts post_smtp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploita
No detection rules found.
Nuclei
WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
nuclei·CVSS 9.8
CVE-2023-6875 [CRITICAL] WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7.
Template:
id: CVE-2023-6875
info:
name: WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions u
Metasploit
Wordpress POST SMTP Account Takeover
metasploit
Wordpress POST SMTP Account Takeover
Wordpress POST SMTP Account Takeover
The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege escalation where an unauthenticated user is able to reset the password of an arbitrary user. This is done by requesting a password reset, then viewing the latest email logs to find the associated password reset email.
Greynoiseio
GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
blogs_greynoiseio·2025-02-26·CVSS 9.8
[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Defense Lessons From the Black Basta Ransomware Playbook
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook
## Table of Contents
Know Your Enemys Playbook
Attackers Move Fast
How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving
Qualys
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
blogs_qualys·2025-02-25
Defense Lessons From the Black Basta Ransomware Playbook | Qualys
#### Table of Contents
- Know Your Enemys Playbook
- Attackers Move Fast
- How Qualys Can Help
The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership.
We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev
Bleepingcomputer
Over 150k WordPress sites at takeover risk via vulnerable plugin
blogs_bleepingcomputer·2024-01-11·CVSS 9.8
CVE-2023-6875 [CRITICAL] Over 150k WordPress sites at takeover risk via vulnerable plugin
## Over 150k WordPress sites at takeover risk via vulnerable plugin
## Bill Toulas
Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.
Last month, security researchers Ulysses Saicha and Sean Murphy discovered two vulnerabilities in the plugin and reported them to the vendor via Wordfence 's bug bounty program.
The first, tracked as CVE-2023-6875 , is a critical authorization bypass flaw arising from a “type juggling” issue on the connect-app REST endpoint. The issue impacts all versions of the plugin up to 2.8.7
An unauthenticated attacker could exploit it to reset the API key and view sensitive log information, including password reset emails.
Speci
Sentinelone
Black Basta
blogs_sentinelone·2022-11-30
Black Basta
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Greynoiseio
NoiseLetter January 2024
blogs_greynoiseio
NoiseLetter January 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Sentinelone
Black Basta
blogs_sentinelone
Black Basta
# Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation
## Summary of Black Basta Ransomware
Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors.
February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o
https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1&old=3012318&old_path=%2Fpost-smtp%2Ftrunkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cvehttp://packetstormsecurity.com/files/176525/WordPress-POST-SMTP-Mailer-2.8.7-Authorization-Bypass-Cross-Site-Scripting.htmlhttps://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1&old=3012318&old_path=%2Fpost-smtp%2Ftrunkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cve
2024-01-11
Published
Exploited in the wild