CVE-2023-6875

CRITICAL EXPLOITED NUCLEI

Wordpress POST SMTP Account Takeover

Title source: metasploit

Exploitation Summary

CVE-2023-6875 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including UlyssesSaicha, gbrsh, hatlesswizard, including a Metasploit module auxiliary/admin/http/wp_post_smtp_acct_takeover. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in the Post SMTP plugin for WordPress, allowing unauthorized access to email logs and sensitive information via crafted FCM token headers.

Description

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover. CVE-2023-52233 appears to be a duplicate of this issue.

Exploits (4)

nomisec WORKING POC 25 stars

by UlyssesSaicha · remote

https://github.com/UlyssesSaicha/CVE-2023-6875

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability in the Post SMTP plugin for WordPress, allowing unauthorized access to email logs and sensitive information via crafted FCM token headers.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Post SMTP plugin for WordPress (version not specified)

No auth needed

Prerequisites: WordPress with Post SMTP plugin installed · Network access to the target

MITRE ATT&CK

T1133 - External Remote Services T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by gbrsh · remote

https://github.com/gbrsh/CVE-2023-6875

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-6875, which targets PostSMTP Mailer for unauthorized account takeover. The exploit leverages a vulnerability in the plugin to steal password reset keys and change user passwords.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: PostSMTP Mailer (versions before 2.8.8)

No auth needed

Prerequisites: Target must have PostSMTP Mailer plugin installed and vulnerable version · WordPress site must be accessible

MITRE ATT&CK

T1552 - Unsecured Credentials T1078 - Valid Accounts

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by hatlesswizard · remote

https://github.com/hatlesswizard/CVE-2023-6875

View Code ZIP pw:eip

This Go-based exploit targets a WordPress plugin vulnerability (CVE-2023-6875) by abusing the Post SMTP plugin's API to intercept password reset emails, extract the reset link, and upload a malicious shell. It automates the entire attack chain from token placement to admin login.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress with Post SMTP plugin

No auth needed

Prerequisites: WordPress site with vulnerable Post SMTP plugin · Network access to target

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC

by h00die, Ulysses Saicha · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2023-6875, a privilege escalation vulnerability in the WordPress POST SMTP plugin prior to 2.8.7. It allows an unauthenticated attacker to reset the password of an arbitrary user by leveraging password reset functionality and accessing email logs.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: WordPress POST SMTP plugin < 2.8.7

No auth needed

Prerequisites: WordPress installation with vulnerable POST SMTP plugin · Network access to the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

WordPress POST SMTP Mailer <= 2.8.7 - Authorization Bypass

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: http.html:/wp-content/plugins/post-smtp

FOFA: body=/wp-content/plugins/post-smtp

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry

http://packetstormsecurity.com/files/176525/WordPress-POST-SMTP-Mailer-2.8.7-Authorization-Bypass-Cross-Site-Scripting.html

Issue Tracking

https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Mobile/includes/rest-api/v1/rest-api.php#L60

Product

https://plugins.trac.wordpress.org/changeset/3016051/post-smtp/trunk?contextall=1&old=3012318&old_path=%2Fpost-smtp%2Ftrunk

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/e675d64c-cbb8-4f24-9b6f-2597a97b49af?source=cve

Scores

CVSS v3 9.8

EPSS 0.9368

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-01-10

CWE

CWE-639 CWE-862

Status published

Products (2)

saadiqbal/Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App < 2.8.7

wpexperts/post_smtp < 2.8.7

Published Jan 11, 2024

Tracked Since Feb 18, 2026