Post SMTP WordPress Plugin Missing Authorization Vulnerability Allowing Email Log Access and Account Takeover

A vulnerability exists in the Post SMTP WordPress plugin, specifically in versions through 3.6.0, due to a missing capability check in the constructor function. This flaw allows unauthenticated attackers to access and read logged emails sent via the Post SMTP plugin. The exposed emails may include sensitive information such as password reset links, potentially leading to unauthorized account access.

Impact

Exploitation of this vulnerability could result in unauthorized access to email logs, including sensitive information such as password reset links, which could be used for account takeover.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a request to the WordPress site with the 'page' parameter set to 'postman_email_log' and the 'view' parameter set to 'log'. The request must also include a 'log_id' parameter corresponding to the ID of the email log to be accessed. This can be done through the WordPress admin AJAX interface, bypassing the missing capability check.

Remediation

Users are advised to update the Post SMTP WordPress plugin to version 3.6.1 or later.