A cross-site scripting (XSS) vulnerability has been discovered in 14 different email logging plugins for WordPress.

The vulnerability allows an attacker to inject malicious code into the emails that are generated by the plugins. This code could then be used to steal user data, hijack user sessions, or redirect users to malicious websites.

Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.

Plugin NamePlugin SlugCVEReported DateDisclosed DateFixed Version
WP Mail Catcherwp-mail-catcherCVE-2023-3080June 4, 2023June 8, 20231.11.1
WP Mail Loggingwp-mail-loggingCVE-2023-3081June 1, 2023June 7, 20231.11.1
Post SMTPpost-smtpCVE-2023-3082June 1, 2023July 10, 20232.5.8
WP Mail Logwp-mail-logCVE-2023-3088June 1, 2023July 4, 20231.1.2
FluentSMTPfluent-smtpCVE-2023-3087June 2, 2023July 5, 20232.2.5
SMTP Mailsmtp-mailCVE-2023-3092June 2, 2023July 4, 2023Plugin closed. Awaiting fixed release.
YaySMTPyaysmtpCVE-2023-3093June 2, 2023June 11, 20232.4.6
GD Mail Queuegd-mail-queueCVE-2023-3122June 5, 2023June 8, 20234.0
Mailtree Log Mailmailtree-log-mailCVE-2023-3135June 5, 2023June 19, 20231.0.1
MailArchivermailarchiverCVE-2023-3136June 5, 2023July 11, 20232.11.0
Mail Controlmail-controlCVE-2023-3158June 6, 2023July 9, 2023Plugin closed. No fix.
Lana Email Loggerlana-email-loggerCVE-2023-3166June 6, 2023June 7, 20231.1.0
Mail Queuemail-queueCVE-2023-3167June 6, 2023June 21, 20231.2
WP Reroute Emailwp-reroute-emailCVE-2023-3168June 7, 2023July 4, 20231.5.0

To exploit the vulnerability, an attacker would need to send an email to a user who is using one of the affected plugins. The email would need to contain malicious code in the subject line. When the user opens the email, the malicious code would be executed in the user’s browser.

READ
Forces Penpals Data Breach Exposes Over 1.1 Million Sensitive Records

We encourage WordPress users to verify that their sites are updated to the latest patched version if an affected plugin is being used.