A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.
Security researchers at Wordfence found two critical flaws in the POST SMTP Mailer plugin.
The first flaw made it possible for attackers to reset the plugin's authentication API key and view sensitive logs (including password reset emails) on the affected website.
A malicious hacker exploiting the flaw could access the key after triggering a password reset. The attacker could then log into the site, lock out the legitimate user, and exploit their access to cause all kinds of mayhem - including publishing unauthorised content, linking to malicious webpages, or planting backdoors.
The second flaw in the plugin allowed hackers to inject malicious scripts into webpages.
Wordfence's researchers contacted the developers of the POST SMTP Mailer plugin about the first flaw on December 8 2023, and on the same day provided proof-of-concept code which demonstrated how it could be exploited.