Posts

CVE-2023-6875: POST SMTP Mailer Authorization Bypass to Admin Account Takeover

My POST SMTP Mailer authorization bypass finding, the proof-of-concept flow, and why the impact was high.

This was my first big bug bounty hit: CVE-2023-6875, an authorization bypass in the POST SMTP Mailer WordPress plugin.

The public proof of concept is here:

UlyssesSaicha/CVE-2023-6875

I submitted the proof of concept to Wordfence during its Holiday Bug Bonanza. The PoC received an extra award, which made this feel like a real milestone for me.

Summary card for CVE-2023-6875 showing affected plugin versions and impact
CVE-2023-6875 affected POST SMTP Mailer versions up to and including 2.8.7. WordPress.org currently lists the plugin at 300,000+ active installations.

The bug

The vulnerability affected the POST SMTP Mailer WordPress plugin, specifically the mobile-app connection flow.

Public advisories describe it as an authorization bypass caused by a type-juggling issue in the connect-app REST endpoint. In practice, an unauthenticated attacker could reset the API key used by the mailer app, then use that access to read email logs.

That gets serious quickly because WordPress email logs often contain password reset emails.

Scale

For scale, the WordPress.org plugin page currently lists POST SMTP Mailer at 300,000+ active installations.

That is not the exact historical vulnerable-site count. It is the current active-installation count shown by WordPress.org. Still, it shows why the bug mattered: this was not a tiny plugin installed on a few test sites.

BleepingComputer covered the issue on January 11, 2024, describing POST SMTP Mailer as an email delivery plugin used by 300,000 websites and reporting that over 150k WordPress sites were at takeover risk.

Why it mattered

The vulnerable path could let an unauthenticated attacker:

  • Reset or control the mailer API access token.
  • Read email log metadata and message contents.
  • Locate password reset emails.
  • Use the reset flow to take over an account.

For a WordPress site, exposing password reset emails can turn a mailer-plugin bug into account takeover.

Proof-of-concept shape

I am not embedding the full script here because the public repository already has it. The important part for this writeup is the chain:

High-level proof of concept flow for CVE-2023-6875
The proof of concept demonstrated the issue as a chain: set the app token, trigger a reset email, read the mailer logs, then inspect the reset email.

The PoC did four things:

  1. Set a controlled app token through the vulnerable connection endpoint.
  2. Triggered a password reset email in the test environment.
  3. Used the controlled token to retrieve mailer logs.
  4. Selected the relevant email log and displayed its contents.

That made the impact easy to review. The report did not depend on vague risk language; it showed a path from unauthenticated access to sensitive reset-email exposure.

References