WP Mail SMTP by WPForms Vulnerability – Authenticated (Admin+) SMTP Password Exposure – CVE-2024-6694 | WordPress Plugin Vulnerability Report

Plugin Name: WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin

Key Information:

  • Software Type: Plugin
  • Software Slug: wp-mail-smtp
  • Software Status: Active
  • Software Author: smub
  • Software Downloads: 54,987,682
  • Active Installs: 3,000,000
  • Last Updated: July 29, 2024
  • Patched Versions: 4.1.0
  • Affected Versions: <= 4.0.1

Vulnerability Details:

  • Name: WP Mail SMTP <= 4.0.1
  • Type: Authenticated (Admin+) SMTP Password Exposure
  • CVE: CVE-2024-6694
  • CVSS Score: 2.7
  • Publicly Published: July 19, 2024
  • Researcher: Guus Verbeek
  • Description: The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This vulnerability is due to the plugin displaying the SMTP password in the settings interface, making it visible to authenticated users with administrative access. This exposure could be potentially useful to attackers if an administrator account is compromised.

Summary:

The WP Mail SMTP plugin for WordPress has a vulnerability in versions up to and including 4.0.1 that allows for the exposure of SMTP passwords to authenticated users with administrative-level access. This vulnerability has been patched in version 4.1.0.

Detailed Overview:

The vulnerability was identified by researcher Guus Verbeek and involves the exposure of SMTP passwords in the settings interface of the WP Mail SMTP plugin. This issue arises because the plugin provides the SMTP password in plain text, visible to users with admin-level access. While this vulnerability requires authenticated access, it poses a risk if an attacker gains control of an administrator account, as it could lead to further exploitation or unauthorized access to email server credentials.

Advice for Users:

Immediate Action: Users should update to the patched version 4.1.0 immediately to secure their websites and prevent potential exposure of sensitive information. Check for Signs of Vulnerability: Review your website’s admin access logs and check for any unauthorized access that might indicate a compromised administrator account. Alternate Plugins: While the vulnerability has been patched, users may consider exploring alternative plugins that offer similar functionality and robust security measures. Stay Updated: Regularly updating plugins to their latest versions is crucial to prevent vulnerabilities and ensure the security of your website.

Conclusion:

The prompt response from the WP Mail SMTP developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 4.1.0 or later to secure their WordPress installations.

References:

Detailed Report: 

In the rapidly evolving digital landscape, maintaining the security of your website is crucial. A recent security vulnerability discovered in the popular WP Mail SMTP by WPForms plugin for WordPress, affecting versions up to 4.0.1, highlights the importance of keeping your website's plugins up to date. This vulnerability, identified as CVE-2024-6694, exposes SMTP passwords to users with administrative access, posing a significant risk to your website's security. For small business owners who rely on their WordPress websites, staying informed and taking prompt action is essential, even amidst the busy demands of running a business.

Details About the Plugin:

WP Mail SMTP by WPForms is a widely-used plugin designed to ensure email deliverability by configuring SMTP settings for WordPress. With over 54 million downloads and 3 million active installs, it is a critical tool for many websites. However, a recent vulnerability has been identified, requiring immediate attention from its users.

Details About the Vulnerability:

The vulnerability, detailed as CVE-2024-6694, involves the exposure of SMTP passwords in the plugin's settings interface. This issue occurs because the plugin displays the SMTP password in plain text, making it visible to users with admin-level access. Discovered by researcher Guus Verbeek, this vulnerability poses a risk if an attacker gains control of an administrator account, potentially leading to unauthorized access to email server credentials.

Risks and Potential Impacts:

The primary risk associated with this vulnerability is the exposure of sensitive SMTP credentials, which could be exploited if an administrator account is compromised. This could allow attackers to intercept or manipulate email communications, posing significant risks to data security and privacy. While this vulnerability requires authenticated access, the consequences of a breach can be severe, particularly for businesses handling sensitive customer information.

Remediation Steps:

To mitigate this vulnerability, users should immediately update the WP Mail SMTP plugin to version 4.1.0 or later, where the issue has been resolved. It's also advisable to review your website’s admin access logs for any unauthorized activity, which could indicate a compromised administrator account. While the vulnerability has been patched, considering alternative plugins with strong security measures is an additional precaution.

Overview of Previous Vulnerabilities:

Since September 19, 2018, there has been one previous vulnerability reported in the WP Mail SMTP plugin. This history underscores the importance of ongoing vigilance and regular updates to safeguard against emerging threats.

Conclusion:

Staying on top of security vulnerabilities is essential for protecting your website and business. For small business owners, who may not have the resources to constantly monitor and manage website security, it is crucial to establish a routine for checking and updating plugins. Regular updates, security audits, and seeking professional assistance when needed can help maintain a secure and trustworthy online presence. Remember, proactive security measures not only protect your data but also preserve the trust and confidence of your customers.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WP Mail SMTP by WPForms Vulnerability – Authenticated (Admin+) SMTP Password Exposure – CVE-2024-6694 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment