SQL Injection Vulnerability in Post SMTP Plugin for WordPress
CVE-2024-13844

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Post Smtp – WP Smtp Plugin With Email Logs And Mobile App For Failure Notifications – Gmail Smtp, Office 365, Brevo, Mailgun, Amazon Ses And More
Vendor: CVE Published:; 8 March 2025

Summary

The Post SMTP plugin for WordPress contains a SQL injection vulnerability in the 'columns' parameter, present in all versions up to and including 3.1.2. This flaw arises from insufficient parameter escaping and inadequate preparation of SQL queries, allowing authenticated attackers with Administrator-level access or higher to inject malicious SQL statements into existing queries. This issue can result in unauthorized access to sensitive database information. To mitigate risks, users should upgrade to the latest version where the vulnerability has been fixed.

Affected Version(s)

Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more * <= 3.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://gist.github.com/nhienit2010/d4692062f54b89e16aa06...

https://wordpress.org/plugins/post-smtp/#developers

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 8, 2025
Vulnerability Reserved
Feb 6, 2025

Credit

Nhien Pham