Sendmachine for WordPress Authorization Bypass Vulnerability Allowing SMTP Configuration Overwrite
Vulnerability
A vulnerability exists in the Sendmachine for WordPress plugin, specifically in versions up to and including 1.0.20. The issue arises from an authorization bypass in the 'manage_admin_requests' function, where the plugin fails to properly verify user permissions. This flaw enables unauthenticated attackers to overwrite the SMTP configuration of the plugin, potentially intercepting all outgoing emails from the site, including password reset messages.
Impact
Exploitation of this vulnerability allows for unauthorized modification of the plugin's SMTP settings, leading to interception of all outgoing emails from the WordPress site. This includes critical communications such as password reset emails, which could be exploited for unauthorized account access.
Reproduction
To reproduce this vulnerability, send a request to the WordPress site with the 'sm_admin_wp_request' parameter. Include the 'sm_action' parameter with a value that triggers the email management functions, such as 'update_email_settings' or 'send_test_email'. The absence of proper authorization checks will allow the request to be processed, overwriting the SMTP configuration with the specified details.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.