Multiple WordPress Plugins Vulnerabilities

CERT-MU Vulnerability Note VN-2023-07

Date of Issue: 17.07.2023

Severity Rating: High

Affected Plugins:
 WP Mail Logging Team WP Mail Logging Team WP Mail Logging plugin
 Post SMTP POST SMTP Mailer plugin
 FluentSMTP & WPManageNinja Team FluentSMTP plugin
 YayCommerce YaySMTP plugin
 WPVibes WP Mail Log plugin
 James Ward WP Mail Catcher plugin

Description
These WordPress plugin for WordPress is vulnerable to cross-site scripting, caused by improper
validation of user-supplied input. A remote attacker could exploit this vulnerability to inject
malicious script into a Web page which would be executed in a victim’s Web browser within the
security context of the hosting Web site, once the page is viewed. An attacker could use this
vulnerability to steal the victim’s cookie-based authentication credentials.

Solution
Users are advised to apply updates to address the vulnerabilities. Before applying the patch, please
visit the vendor website for more details:
 https://plugins.trac.wordpress.org/changeset/2924014/wp-mail-catcher
 https://plugins.trac.wordpress.org/changeset/2923464/wp-mail-logging
 https://plugins.trac.wordpress.org/changeset/2925728/wp-mail-logging
 https://plugins.trac.wordpress.org/changeset/2935537/post-smtp
 https://plugins.trac.wordpress.org/changeset/2935217/fluentsmtp/trunk/app/Models/Logger.php
 https://plugins.trac.wordpress.org/changeset/2935217/fluentsmtp/trunk/app/Services/Mailer/BaseHandler.php
 https://plugins.trac.wordpress.org/changeset/2931706/wp-mail-log
Multiple WordPress Plugins Vulnerabilities

CVE Information
 CVE-2023-3080 CVSS:7.2
 CVE-2023-3081 CVSS:7.2
 CVE-2023-3082 CVSS:7.2
 CVE-2023-3087 CVSS:7.2
 CVE-2023-3088 CVSS:7.2
 CVE-2023-3093 CVSS:7.2

References
 https://nvd.nist.gov/vuln/detail/CVE-2023-3080
 https://nvd.nist.gov/vuln/detail/CVE-2023-3081
 https://nvd.nist.gov/vuln/detail/CVE-2023-3082
 https://nvd.nist.gov/vuln/detail/CVE-2023-3087
 https://nvd.nist.gov/vuln/detail/CVE-2023-3088
 https://nvd.nist.gov/vuln/detail/CVE-2023-3093
 https://www.wordfence.com/threat-intel/vulnerabilities/id/1525e1c9-4b94-4f9f-92c5-
fc69fe000771?source=cve
 https://www.wordfence.com/threat-intel/vulnerabilities/id/ef20b3e6-d8f4-458e-b604-
b46ef16e229e?source=cve
 https://www.wordfence.com/threat-intel/vulnerabilities/id/6ecd0fa6-4fdb-4780-9560-
0bb126800685?source=cve
 https://www.wordfence.com/threat-intel/vulnerabilities/id/fa47a794-e5ce-491d-a10bc7c5718aa853?source=cve
 https://www.wordfence.com/threat-intel/vulnerabilities/id/86ee1acb-6f0c-40e6-80a0-
fc93b61c1602?source=cve
 https://www.wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-
2c9ddfb96e2e?source=cve

Report Cyber Incidents
Report cyber security incident on the Mauritian Cybercrime Online Reporting System (MAUCORS –
http://maucors.govmu.org/)

Contact Information
Computer Emergency Response Team of Mauritius (CERT-MU)
Ministry of Information Technology, Communication and Innovation
Tel: (+230) 4602600
Hotline No: (+230) 800 2378
Gen. Info. : contact@cert.govmu.org
Incident: incident@cert.govmu.org
Website: http://cert-mu.govmu.org
MAUCORS: http://maucors.govmu.org

Skip to content