CVE-2023-7027 – Unauthenticated Stored XSS Vulnerability in WordPress Plugin: POST SMTP Mailer – Email Log, Delivery Failure Notifications and Best Mail SMTP

The WordPress plugin POST SMTP Mailer – Email Log, Delivery Failure Notifications and Best Mail SMTP is a popular tool that helps website owners to manage emails related to their site more efficiently. However, a critical vulnerability has been discovered in all versions up to and including 2.8.7 that exposes websites using the plugin to Stored Cross-Site Scripting (XSS) attacks. This vulnerability (CVE-2023-7027) allows unauthenticated attackers to inject malicious scripts into a target website via the 'device' header, causing the script to execute when a user accesses the injected page.

Code Snippet

The vulnerability exists due to insufficient input sanitization and output escaping of the 'device' header in the plugin's code. Here's an example of the vulnerable code:

//GET the value of the 'device' header
$device = $_SERVER['HTTP_DEVICE'];

//Output the 'device' value unsanitized and unescaped
echo "<span class='device'>$device</span>";

Exploit Details

By exploiting this vulnerability, an attacker can insert a malicious script that will ultimately execute in the browser of any user visiting the affected page. This could lead to various potential security breaches, such as stealing sensitive information (e.g., login credentials), redirecting users to phishing websites, defacing the target website, and more.

The following is a sample payload that demonstrates how the vulnerability can be exploited

GET /vulnerable_page HTTP/1.1
Host: target.website
User-Agent: Victim's Browser
Accept: text/html
Device: "><script>alert('XSS')</script>

In the example above, the attacker sends a crafted HTTP request that contains the malicious script in the 'Device' header. The vulnerable plugin then echoes the unsanitized and unescaped value from the header, causing the script to be injected into the webpage and executed when a user visits the affected page.

Original References

This vulnerability was initially reported by Security Researcher's Name in their Blog Post. For more technical details and proof-of-concept, you can refer to the Official CVE Details and NIST National Vulnerability Database as well.

Mitigation

To protect your WordPress website from this vulnerability, it is highly recommended to update the POST SMTP Mailer – Email Log, Delivery Failure Notifications and Best Mail SMTP plugin to the latest version, which contains a patch for this issue. Additionally, website owners should always follow best security practices, such as keeping their plugins and themes up to date, using strong and unique passwords, and enabling two-factor authentication wherever possible.

Timeline

Published on: 01/03/2024 05:15:11 UTC
Last modified on: 02/02/2024 16:30:28 UTC