Thousands of WordPress sites under threat from dodgy plugins

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

A popular WordPress plugin with more than 300,000 installs carried two high-severity vulnerabilities that could allow threat actors to completely take over the websites, experts have warned.

Cybersecurity researchers from Wordfence discovered the flaw in early December last year, and reported it to the developers.

As per the researchers, the vulnerable plugin is called POST SMTP, a tool that helps webmasters deliver emails to their visitors. It carried two major flaws - CVE-2023-6875, and CVE-2023-7027.

Hundreds of thousands of potential victims

The former is a critical authorization bypass vulnerability affecting all versions of the plugin up to 2.8.7. By abusing the flaw, a threat actor could reset API keys and thus gain access to sensitive log information, such as password reset emails. They can even abuse the vulnerability to install backdoors, modify plugins and themes, tamper with the site’s content, or redirect users elsewhere (for example, to a malicious phishing page, or to a site marred with advertising). 

The latter is a cross-site scripting (XSS) vulnerability, also present in all versions up to 2.8.7. By abusing it, hackers can inject arbitrary scripts.

The flaw was first spotted in early December, with the patch being made available on January 1, 2024. Those using the POST SMTP tool should make sure the plugin is brought to version 2.8.8.

According to BleepingComputer, there are some 150,000 websites running POST SMTP versions older than 2.8. The other 150,000 are using a newer, but still vulnerable, version. Since the patch was released, some 100,000 new downloads have been made. 

POST SMTP is a free plugin, rated 4.8/5 on the WordPress plugin repository. 

Generally speaking, WordPress as a website builder is considered safe. However, there are tens of thousands of free plugins carrying different vulnerabilities. Some of the plugins, despite being popular with the users, are no longer being supported by their developers, putting the users under great risk.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI