CVE-2021-4422: CSRF
First published: Wed Jul 12 2023(Updated: )
The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger a CSV export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Credit: security@wordfence.com security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Post SMTP | <=2.0.20 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/
- https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2473579%40post-smtp&new=2473579%40post-smtp&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e018ca7c-06dd-4d40-91d4-4ed188b8aaf2?source=cve
Frequently Asked Questions
What is CVE-2021-4422?
CVE-2021-4422 is a vulnerability in the POST SMTP Mailer plugin for WordPress that allows unauthenticated attackers to trigger a CSV export via a CSRF attack.
How severe is CVE-2021-4422?
CVE-2021-4422 has a severity rating of medium with a CVSS score of 4.3.
Which versions of the POST SMTP Mailer plugin for WordPress are affected by CVE-2021-4422?
CVE-2021-4422 affects versions up to and including 2.0.20 of the POST SMTP Mailer plugin for WordPress.
What is the CWE ID for CVE-2021-4422?
CVE-2021-4422 has a CWE ID of 352.
How can I fix CVE-2021-4422?
To fix CVE-2021-4422, update the POST SMTP Mailer plugin for WordPress to a version higher than 2.0.20, as the vulnerability has been patched in later releases.
- agent/author
- agent/type
- agent/references
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-latest
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/wpexperts
- canonical/post smtp
- version/post smtp/2.0.20