“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers. When it comes to WordPress plugin security, assumptions can be dangerous. This became evident when the Wordfence Threat Intelligence team discovered an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 14 different email logging plugins. The common thread? An assumption that the contents of emails generated within a WordPress instance could not be influenced by external actors. This oversight potentially exposed over 600,000 users to significant security risks.
We contacted all affected vendors after initial discovery between June 4, 2023 and June 11, 2023. Some developers were responsive while others were not, however all plugins except for one received updates to address these vulnerabilities.
All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.
Vulnerability Overview
CVSS Severity Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher: Alex Thomas
Affected Plugins
Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.
Plugin Name
Plugin Slug
CVE
Reported Date
Disclosed Date
Fixed Version
WP Mail Catcher
wp-mail-catcher
CVE-2023-3080
June 4, 2023
June 8, 2023
1.11.1
WP Mail Logging
wp-mail-logging
CVE-2023-3081
June 1, 2023
June 7, 2023
1.11.1
Post SMTP
post-smtp
CVE-2023-3082
June 1, 2023
July 10, 2023
2.5.8
WP Mail Log
wp-mail-log
CVE-2023-3088
June 1, 2023
July 4, 2023
1.1.2
FluentSMTP
fluent-smtp
CVE-2023-3087
June 2, 2023
July 5, 2023
2.2.5
SMTP Mail
smtp-mail
CVE-2023-3092
June 2, 2023
July 4, 2023
Plugin closed. Awaiting fixed release.
YaySMTP
yaysmtp
CVE-2023-3093
June 2, 2023
June 11, 2023
2.4.6
GD Mail Queue
gd-mail-queue
CVE-2023-3122
June 5, 2023
June 8, 2023
4.0
Mailtree Log Mail
mailtree-log-mail
CVE-2023-3135
June 5, 2023
June 19, 2023
1.0.1
MailArchiver
mailarchiver
CVE-2023-3136
June 5, 2023
July 11, 2023
2.11.0
Mail Control
mail-control
CVE-2023-3158
June 6, 2023
July 9, 2023
Plugin closed. No fix.
Lana Email Logger
lana-email-logger
CVE-2023-3166
June 6, 2023
June 7, 2023
1.1.0
Mail Queue
mail-queue
CVE-2023-3167
June 6, 2023
June 21, 2023
1.2
WP Reroute Email
wp-reroute-email
CVE-2023-3168
June 7, 2023
July 4, 2023
1.5.0
Technical Analysis
Our investigation began with identifying the easiest and most common way to get user-supplied input into an email generated by the WordPress instance: contact forms. Often made accessible to unauthenticated site visitors, we found that input submitted via the Contact Form 7 plugin’s default contact form (a plugin used by over 5 million users), was not escaped when displayed within the email logging page of any of the 14 plugins we examined. This opened the door to an unauthenticated stored XSS attack.
Note that this vulnerability cannot be exploited without the presence of the vulnerable email logging plugins. While we used Contact Form 7 to provide a contact form for our proof-of-concept, it’s important to clarify that Contact Form 7, by itself, is not vulnerable and does sanitize its output. The vulnerability arises when a contact form plugin is used in combination with one of the email logging plugins mentioned in this post, which do not sanitize their output. Therefore, it is these email logging plugins that are vulnerable in this scenario, not Contact Form 7.
All plugins affected by this vulnerability have a feature designed to display any emails sent by the WordPress instance where they are installed. For some of these plugins, this is the primary feature, and for others this is a secondary feature, which may need to be enabled.
In this vulnerability analysis, we will be highlighting Post SMTP, an SMTP plugin for WordPress that includes email logging functionality (enabled by default) which is used by over 300,000 users.
Post SMTP Email Log Settings
We replicated a typical WordPress site contact form by entering the
Error: Contact form not found.
shortcode into a WordPress page. We then accessed this page as an unauthenticated user and entered the payload into the ‘Your name’, ‘Subject’, and ‘Your message’ fields.The default Contact Form 7 contact form with XSS payloads entered into the form fields
Then, as an administrator, we navigated to the Post SMTP Email Log page where the payload in the ‘Subject’ field immediately fired.
XSS payload in the ‘Subject’ field triggers upon access to the administrative Email Log page
Clicking on the ‘View’ link for the email log entry caused the payload in all fields to execute.
XSS payload in the ‘Your name’ field triggers upon access to the administrative Email Log page
XSS payload in the ‘Your message’ field triggers upon access to the administrative Email Log page
Conclusion
In this blog post, we highlighted a significant vulnerability affecting a large number of WordPress users. The fact that so many plugins providing the same functionality were vulnerable to the same attack method suggests a blind spot in the plugin developers’ security considerations. The potential for malicious input from an email generated via a contact form was seemingly overlooked.
If exploited, an XSS vulnerability of this nature can lead to a complete site takeover, especially on WordPress sites that have not implemented the suggestions from the WordPress hardening guide. This vulnerability underscores the importance of not only keeping your plugins updated but also ensuring that your site is properly hardened against potential attacks. This is a stark reminder that when it comes to security, we must never assume anything.
We encourage WordPress users to verify that their sites are updated to the latest patched version if an affected plugin is being used.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.
If you know someone who uses any of these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.
The post “Never Assume Anything” – Unauthenticated Stored Cross-Site Scripting Vulnerability Exposed in 14 Email Logging Plugins appeared first on Wordfence.
