Dangerous WordPress plugin puts over 160,000 sites at risk - here's what we know
techradar.com
- Older versions of Post SMTP allowed hackers to read all emails
- They could also reset the admin password and read the notification email, gaining access to the account
- More than 160,000 WordPress sites are running the vulnerable version
A popular WordPress plugin with hundreds of thousands of active installations carried a vulnerability that allowed threat actors to take over compromised websites, experts have warned.
The plugin is called Post SMTP, a tool that replaces WordPress’s default email function with an authenticated SMTP method, and currently counts more than 400,000 active installations.
Security researchers PatchStack warned an access control mechanism in the plugin’s REST API endpoint was broken, only verifying if a user was logged in, and not checking whether they had permissions to do certain actions, or not. As a result, low-privileged users were allowed access to email logs with full email contents, meaning they were ...
Copyright of this story solely belongs to techradar.com . To see the full text click HERE