CVE-2023-6875 Overview
CVE-2023-6875 is an authorization bypass vulnerability in the POST SMTP Mailer plugin for WordPress, affecting all versions up to and including 2.8.7. The vulnerability stems from a type juggling issue in the connect-app REST endpoint, which allows unauthenticated attackers to reset the API key used for mailer authentication. This enables attackers to access email logs, including sensitive password reset emails, ultimately leading to complete site takeover.
Critical Impact
Unauthenticated attackers can reset the plugin's API key, access email logs containing password reset links, and take over WordPress sites without any prior authentication.
Affected Products
- POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress versions ≤ 2.8.7
- wpexperts post_smtp WordPress plugin
Discovery Timeline
- 2024-01-11 - CVE-2023-6875 published to NVD
- 2025-06-04 - Last updated in NVD database
Technical Details for CVE-2023-6875
Vulnerability Analysis
This vulnerability is classified as an Authorization Bypass (CWE-862: Missing Authorization) that exploits PHP's type juggling behavior in the REST API authentication mechanism. The flaw exists in the connect-app REST endpoint within the plugin's mobile API functionality, specifically in the file rest-api.php.
PHP's loose comparison operators (==) can produce unexpected results when comparing different data types. In this case, the authentication logic fails to properly validate the API token, allowing attackers to bypass authentication entirely by exploiting how PHP handles type comparisons between strings and other data types.
When successful, an attacker gains the ability to:
- Reset the API authentication key without authorization
- Access complete email logs stored by the plugin
- View password reset emails sent through the mailer
- Leverage captured password reset links to take over administrator accounts
Root Cause
The root cause lies in improper input validation and type handling within the REST API authentication flow. The connect-app endpoint uses a loose comparison when validating the authentication token, which is susceptible to PHP type juggling attacks. When a specially crafted request is sent, the comparison evaluates to true despite the attacker not possessing valid credentials.
The vulnerable code path can be examined in the WordPress Plugin Code Review, where the authentication check occurs at line 60 of the REST API handler.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends malicious requests to the connect-app REST endpoint, exploiting the type juggling vulnerability to bypass authentication. Once the API key is reset, the attacker can authenticate to the plugin's mobile API and retrieve all stored email logs.
The attack sequence typically involves:
- Sending a crafted POST request to the /wp-json/post-smtp/v1/connect-app endpoint
- Exploiting the type juggling flaw to bypass token validation
- Resetting the API key to an attacker-controlled value
- Authenticating with the new API key to access email logs
- Extracting password reset links from the logs to compromise administrator accounts
Technical details and a proof of concept are available through Packet Storm Security.
Detection Methods for CVE-2023-6875
Indicators of Compromise
- Unusual requests to /wp-json/post-smtp/v1/connect-app endpoint from unknown IP addresses
- Unexpected API key changes in POST SMTP plugin configuration
- Suspicious access to email log functionality without legitimate user sessions
- Password reset requests initiated shortly after unusual plugin API activity
Detection Strategies
- Monitor web server access logs for repeated requests to POST SMTP REST API endpoints
- Implement Web Application Firewall (WAF) rules to detect and block type juggling attack patterns
- Review WordPress audit logs for unauthorized plugin configuration changes
- Set up alerts for API key modification events within the POST SMTP plugin
Monitoring Recommendations
- Enable verbose logging on WordPress REST API endpoints to capture request payloads
- Deploy SentinelOne Singularity to monitor for exploitation attempts and post-exploitation behavior
- Establish baseline traffic patterns to the plugin's REST endpoints for anomaly detection
- Implement real-time alerting for any password reset email access from unexpected sources
How to Mitigate CVE-2023-6875
Immediate Actions Required
- Update POST SMTP Mailer plugin to version 2.8.8 or later immediately
- Review email logs for any unauthorized access or suspicious activity
- Reset the plugin's API key after updating to invalidate any compromised tokens
- Audit administrator accounts for unauthorized password changes
- Review WordPress user accounts for any newly created suspicious accounts
Patch Information
The vulnerability has been patched in POST SMTP Mailer versions newer than 2.8.7. The fix implements strict comparison operators and proper input validation to prevent type juggling attacks. The WordPress Plugin Changeset documents the security improvements made to address this vulnerability.
Additional vulnerability details are available from the Wordfence Vulnerability Report.
Workarounds
- If immediate patching is not possible, temporarily disable the POST SMTP mobile app functionality
- Implement IP allowlisting for REST API endpoints at the web server level
- Configure a WAF to block requests to /wp-json/post-smtp/v1/connect-app from untrusted sources
- Monitor and audit all plugin API activity until the update can be applied
# Apache .htaccess rule to block vulnerable endpoint temporarily
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/post-smtp/v1/connect-app [NC]
RewriteCond %{REMOTE_ADDR} !^(YOUR_TRUSTED_IP)$
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
