NotCVE - vendor:"Wpexperts" product:"Post Smtp" version:"

6 results (0.001 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-6621 – Post SMTP < 2.8.7 - Reflected Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2023-6621

The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. POST SMTP WordPress plugin anterior a 2.8.7 no sanitiza ni escapa el parámetro msg antes de devolverlo a la página, lo que genera cross site scripting reflejado que podría usarse contra usuarios con privilegios elevados, como el administrador. • https://wpscan.com/vulnerability/b49ca336-5bc2-4d72-a9a5-b8c020057928 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-6629 – POST SMTP Mailer <= 2.8.6 - Reflected Cross-Site Scripting via msg

https://notcve.org/view.php?id=CVE-2023-6629

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress es vulnerable a cross site scripting reflejado a través del parámetro 'msg' en todas las versiones hasta la 2.8.6 inclusive debido a una sanitización de entrada y escape insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace. The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. • https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L396 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3012318%40post-smtp%2Ftrunk&old=3006604%40post-smtp%2Ftrunk&sfp_email=&sfph_mail=#file4 https://www.wordfence.com/threat-intel/vulnerabilities/id/7681f984-d488-4da7-afe1-988e5ad012f2?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2

CVE-2023-7027 – POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Unauthenticated Stored Cross-Site Scripting via device

https://notcve.org/view.php?id=CVE-2023-7027

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress es vulnerable a cross site scripting almacenado a través del encabezado 'device' en todas las versiones hasta la 2.8.7 inclusive debido a una sanitización de entrada y escape insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. WordPress POST SMTP Mailer plugin versions 2.8.7 and below suffer from authorization bypass and cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/176525/WordPress-POST-SMTP-Mailer-2.8.7-Authorization-Bypass-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L79 https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/mobile.php#L219 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3016126%40post-smtp%2Ftrunk&old=3012318%40post-smtp%2Ftrunk&sfp_email=&sfph_mail= https://www • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-3178 – POST SMTP Mailer < 2.5.7 - Arbitrary Log Deletion via CSRF

https://notcve.org/view.php?id=CVE-2023-3178

The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack. El complemento POST SMTP Mailer de WordPress anterior a 2.5.7 no tiene comprobaciones CSRF adecuadas en algunas acciones AJAX, lo que podría permitir a los atacantes hacer que los usuarios registrados con la capacidad de Manage_postman_smtp eliminen registros arbitrarios mediante un ataque CSRF. The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.6. This is due to incorrect nonce validation on the delete_logs_ajax() function. This makes it possible for unauthenticated attackers to delete logs granted they can trick a site user with the manage_postman_smtp capability into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/5341cb5d-d204-49e1-b013-f8959461995f • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

CVE-2022-2352 – Post SMTP < 2.1.7 - Admin+ Blind SSRF

https://notcve.org/view.php?id=CVE-2022-2352

The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example. El plugin Post SMTP Mailer/Email Log de WordPress versiones anteriores a 2.1.7, no presenta la autorización adecuada en algunas acciones AJAX, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo SSRF ciegos en instalaciones multisitio, por ejemplo. The Post SMTP plugin for WordPress is vulnerable to blind Server-Side Request Forgery. This is due to improper authorization on some of the plugin's AJAX actions. • https://wpscan.com/vulnerability/dc99ac40-646a-4f8e-b2b9-dc55d6d4c55c • CWE-918: Server-Side Request Forgery (SSRF) •

1 2