WordPress SMTP Plugin Vulnerable to SQL Injection
CVE-2024-5207

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Post Smtp – The WordPress Smtp Plugin With Email Logs And Mobile App For Email Failure Notifications
Vendor: CVE Published:; 30 May 2024

Summary

The POST SMTP Plugin for WordPress is susceptible to a time-based SQL Injection vulnerability. This issue arises from insufficient escaping of user-supplied parameters and inadequate query preparation in versions prior to 2.9.3. As a result, authenticated users with administrative permissions may exploit this flaw to insert harmful SQL queries into existing commands, potentially allowing them to extract sensitive information from the database. Proper security measures and updates are critical to safeguard against this vulnerability.

Affected Version(s)

Post SMTP – The WordPress SMTP Plugin with Email Logs and Mobile App for Email Failure Notifications * <= 2.9.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/post-smtp/trun...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 30, 2024
Vulnerability Reserved
May 22, 2024

Credit

ngocanh le