CVE-2023-6875: 
WordPress vulnerability analysis and mitigation

The POST SMTP Mailer plugin for WordPress (CVE-2023-6875) contains a critical vulnerability discovered in January 2024. This security flaw affects all versions up to and including 2.8.7 of the plugin, which is used by over 300,000 WordPress websites. The vulnerability stems from a type juggling issue in the connect-app REST endpoint, allowing unauthorized access and modification of data (Security Online).

The vulnerability has been assigned a Critical CVSS score of 9.8, indicating its severe nature. The security flaw exists due to a type juggling issue in the connect-app REST endpoint, which enables unauthenticated attackers to bypass authorization controls. The vulnerability was discovered by security researcher Ulyses Saicha (Security Online, NVD).

The vulnerability allows unauthenticated attackers to reset the API key used for mailer authentication and view sensitive logs, including password reset emails. This access can ultimately lead to complete site takeover. The impact is particularly significant given that over 300,000 WordPress sites use this plugin (Security Online).

Website owners are strongly advised to update to version 2.8.8 or later of the Post SMTP plugin to protect against this vulnerability. This version contains the necessary security fixes to address the type juggling issue (Security Online).