Post SMTP < 2.6.1 – Authenticated (Administrator+) SQL Injection

Description

The Post SMTP plugin for WordPress is vulnerable to time-based SQL Injection via the log_id parameter in versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Proof of Concept

https://example.com/wp-admin/admin.php?page=postman_email_log&view=log&log_id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))a)

Affects Plugins

post-smtp

Fixed in 2.6.1

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3816a6cf-8157-4ad9-83f6-93c9b6c6275f

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

7.2 (high)

Miscellaneous

Verified

Yes

WPVDB ID

6f76b688-820c-46c8-ae9a-15e8c7f217ae

Timeline

Publicly Published

2023-10-03 (about 7 months ago)

Added

2023-12-21 (about 4 months ago)

Last Updated

2024-01-02 (about 4 months ago)

Other

Published

Title

Published

2023-06-19

Title

WooCommerce Product Vendors < 2.1.79 - ShopManager+ SQLi

Published

2014-08-01

Title

Menu Creator <= 1.1.7 - SQL Injection

Published

2021-10-07

Title

Schreikasten <= 0.14.18 - Author+ SQL Injections

Published

2023-12-21

Title

Simply Schedule Appointments < 1.6.6.1 - Authenticated(Administrator+) SQL Injection

Published

2015-07-22

Title

Easy Social Icons < 1.2.4 - Authenticated SQL Injection