A WordPress plugin used on over 300,000 web sites has been discovered to comprise vulnerabilities that might enable hackers to grab management.

Safety researchers at Wordfence discovered two essential flaws within the POST SMTP Mailer plugin.

The primary flaw made it doable for attackers to reset the plugin’s authentication API key and look at delicate logs (together with password reset emails) on the affected web site.

A malicious hacker exploiting the flaw may entry the important thing after triggering a password reset. The attacker may then log into the positioning, lock out the respectable consumer, and exploit their entry to trigger all types of mayhem – together with publishing unauthorised content material, linking to malicious webpages, or planting backdoors.

The second flaw within the plugin allowed hackers to inject malicious scripts into webpages.

Wordfence’s researchers contacted the builders of the POST SMTP Mailer plugin in regards to the first flaw on December 8 2023, and on the identical day offered proof-of-concept code which demonstrated the way it might be exploited.

Within the week earlier than Christmas, the researchers contacted the builders once more – this time in regards to the second vulnerability.

To their credit score, the plugin’s builders labored over the Christmas and New 12 months break to repair the issues, publishing an replace (model 2.8.8 of POST SMTP Mailer plugin) on January 1, 2024, which addressed the safety points.

It might be good to assume that the issue ended there.

Nonetheless, as Bleeping Laptop notes, the plugin’s statistics present that solely 53% of installations are at the moment operating the most recent up to date model, that means roughly 150,000 websites stay susceptible.

It is over ten years since WordPress launched the power to routinely replace plugins – however it stays an possibility that must be enabled for every particular person plugin.

Should you run a WordPress-powered web site that makes use of the POST SMTP Mailer plugin, it is important that you simply confirm your website has been up to date to make use of the most recent patched model of the plugin (model 2.8.9 on the time of writing.)

Editor’s Notice: The opinions expressed on this visitor writer article are solely these of the contributor, and don’t essentially replicate these of Tripwire.