Possible leakage of email logs?

  • Resolved zkarj

    (@zkarj)


    1 year, 2 months ago

    I’ve just had one of my WordPress sites hacked — the only two registered users got password reset requests followed shortly afterwards by password changed confirmations. The site has been taken offline for now while I try to figure out how they did that.

    I have been looking through the logs and found this sequence that comes from the IP address listed in the password reset request emails and coincides with the time the accounts were compromised.

    It shows the attacker hitting on both WordPress authentication functions and POST-SMTP endpoints. The only simple way I can conceive they could succeed with the password resets is if they knew the contents of the reset request email… which is why the POST-SMTP log entries caught my eye.

    Here is the sequence of requests up to approximately the time the first account was compromised.

    POST /wp-json/post-smtp/v1/connect-app
    GET /wp-json/post-smtp/v1/get-logs
    GET /wp-json/wp/v2/users
    POST /wp-login.php?action=lostpassword
    … repeats a number of times
    GET /wp-json/post-smtp/v1/get-logs
    GET /wp-json/post-smtp/v1/get-log?id=334
    GET /wp-admin/admin.php?access_token=fpupydtoihsgszleuhivseszhfcsdnuc&type=log&log_id=334
    GET /wp-login.php?action=rp&key=q8SWvA19xeKq49i8pjId&login=elli&wp_lang=en_US
    GET /wp-login.php?action=rp&wp_lang=en_US
    POST /wp-login.php?action=resetpass
    GET /wp-json/post-smtp/v1/get-log?id=333

    I accept my configuration of POST-SMTP may have been an issue, but would like to understand if this was in fact a possible attack vector and if so, how can I avoid it when I bring the site back from a backup?

    • This topic was modified 1 year, 2 months ago by zkarj.
Viewing 4 replies - 1 through 4 (of 4 total)

  • This is a known critical vulnerability. In plain English, any dummy with basic programming skills can take overtake your website.

    https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin/

    It has been fixed in v 2.8.8, see this cute changelog entry:

    2.8.8 – 2024-01-01
    Improvement: Added sanitization and escape functions in POST SMTP Mobile App QR code scanning window

    Not very clear? Yes. Apparently, most plugin vendors do it that way.

    Thread Starter zkarj

    (@zkarj)

    Thanks for that info Patrick! I worked out I last updated the site on… 31 December!

    Note that after patching to the new version there is still a potential risk that the bad actor while logged into the site may have connected the POST SMTP mobile app to gain access to logs remotely. The plugin also appears to have a bug that doesn’t allow that mobile device connection to be disconnected in the admin database apparently.

    • This reply was modified 1 year, 1 month ago by dkedinger.
    • This reply was modified 1 year, 1 month ago by Yui. Reason: removed other plugin reference
    Plugin Support M Haseeb

    (@haseeb0001)

    @dkedinger

    Only administrators have access to the QR Code and can connect with the Post SMTP Mobile Application, and there is a disconnect option in our plugin also; to disconnect a connected device, please refer to the video tutorial here.

    We have addressed these issues in versions 2.8.7 and 2.8.9. (The latest version is 2.8.11). If you encounter any problems, kindly provide screenshots along with details, and we will assist you further.

    Thanks and regards,
    Support Team – WPExperts  

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Possible leakage of email logs?’ is closed to new replies.