CVE-2023-6629 in POST SMTP Mailer Plugininfo

Summary

by MITRE • 01/03/2024

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2023-6621 appears to be a duplicate of this issue. CVE-2024-29128 appears to be a duplicate of this issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-6629 affects the POST SMTP Mailer WordPress plugin, specifically targeting versions up to and including 2.8.6. This security flaw represents a reflected cross-site scripting vulnerability that exploits the 'msg' parameter within the plugin's functionality. The issue stems from inadequate input sanitization and insufficient output escaping mechanisms that fail to properly validate or encode user-supplied data before rendering it in web pages. The vulnerability is classified under CWE-79 as a weakness related to improper neutralization of input during web page generation, making it a classic example of a client-side attack vector that can compromise user sessions and execute malicious code in the context of the victim's browser.

The operational impact of this vulnerability extends beyond simple script injection, as it creates a potential attack surface for unauthenticated adversaries to manipulate the plugin's behavior. When an attacker crafts a malicious URL containing crafted script payloads in the 'msg' parameter and successfully convinces a user to click the link, the malicious code executes within the user's browser context. This type of attack aligns with ATT&CK technique T1566.001, which involves social engineering through spearphishing with a link, and demonstrates how seemingly benign plugin functionality can become a vector for more sophisticated attacks. The reflected nature of the vulnerability means that the malicious payload is reflected back to the user through the web application's response, making it particularly dangerous as it can bypass many standard security measures that rely on input validation at the server level.

The security implications of this vulnerability are significant as it allows attackers to perform actions such as stealing session cookies, redirecting users to malicious sites, or executing arbitrary code within the victim's browser. The fact that this vulnerability affects a widely used WordPress plugin increases the potential attack surface considerably, as many WordPress installations rely on SMTP mailer functionality for various operations including user registration, password reset, and administrative notifications. The vulnerability's classification as a duplicate of CVE-2023-6621 and CVE-2024-29128 indicates that similar issues have been identified in related or identical plugin versions, suggesting a systemic problem in the plugin's input handling mechanisms. The exploitation requires minimal privileges and can be accomplished through social engineering techniques, making it particularly dangerous in environments where users may not be security-aware. Organizations should prioritize patching this vulnerability as it represents a direct threat to user security and could enable further compromise of WordPress installations through session hijacking or credential theft attacks.

Responsible

Wordfence

Reservation

12/08/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00442

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!