Post SMTP WordPress Plugin Missing Authorization Vulnerability in Office 365 OAuth Handling

A vulnerability exists in the Post SMTP plugin for WordPress, specifically in versions through 3.8.0. The issue arises from a lack of proper capability checks in the 'handle_office365_oauth_redirect()' function, which is triggered during the 'admin_init' action. This oversight allows authenticated attackers with Subscriber-level access or higher to manipulate the site's Office 365 OAuth mail settings. By sending a crafted URL, these attackers can overwrite critical configuration details, including the access token, refresh token, and user email. This vulnerability is particularly concerning as it could mislead an Administrator into believing that an attacker-controlled Azure application is legitimate, potentially leading to unauthorized access during the setup process for Microsoft 365 SMTP, available in the Pro version of the plugin.

Impact

Exploitation of this vulnerability allows for unauthorized overwriting of Office 365 OAuth mail configuration, including access tokens and user email, which could be used to deceive administrators about the ownership of an Azure app, leading to unauthorized connections during the Microsoft 365 SMTP setup.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site with a crafted URL that includes the necessary parameters to overwrite the Office 365 OAuth configuration. This can be done by bypassing the missing capability checks and nonce verification in the 'handle_office365_oauth_redirect()' function.

Remediation

Users are advised to update the Post SMTP WordPress plugin to version 3.9.0 or later, where this vulnerability has been patched.