CVE-2023-6875: POST SMTP Mailer Authorization Bypass to Admin Account Takeover
My POST SMTP Mailer authorization bypass finding, the proof-of-concept flow, and why the impact was high.
This was my first big bug bounty hit: CVE-2023-6875, an authorization bypass in the POST SMTP Mailer WordPress plugin.
The public proof of concept is here:
I submitted the proof of concept to Wordfence during its Holiday Bug Bonanza. The PoC received an extra award, which made this feel like a real milestone for me.
The bug
The vulnerability affected the POST SMTP Mailer WordPress plugin, specifically the mobile-app connection flow.
Public advisories describe it as an authorization bypass caused by a type-juggling issue in the connect-app REST endpoint. In practice, an unauthenticated attacker could reset the API key used by the mailer app, then use that access to read email logs.
That gets serious quickly because WordPress email logs often contain password reset emails.
Scale
For scale, the WordPress.org plugin page currently lists POST SMTP Mailer at 300,000+ active installations.
That is not the exact historical vulnerable-site count. It is the current active-installation count shown by WordPress.org. Still, it shows why the bug mattered: this was not a tiny plugin installed on a few test sites.
BleepingComputer covered the issue on January 11, 2024, describing POST SMTP Mailer as an email delivery plugin used by 300,000 websites and reporting that over 150k WordPress sites were at takeover risk.
Why it mattered
The vulnerable path could let an unauthenticated attacker:
- Reset or control the mailer API access token.
- Read email log metadata and message contents.
- Locate password reset emails.
- Use the reset flow to take over an account.
For a WordPress site, exposing password reset emails can turn a mailer-plugin bug into account takeover.
Proof-of-concept shape
I am not embedding the full script here because the public repository already has it. The important part for this writeup is the chain:
The PoC did four things:
- Set a controlled app token through the vulnerable connection endpoint.
- Triggered a password reset email in the test environment.
- Used the controlled token to retrieve mailer logs.
- Selected the relevant email log and displayed its contents.
That made the impact easy to review. The report did not depend on vague risk language; it showed a path from unauthenticated access to sensitive reset-email exposure.