When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Cybersecurity researchers from Wordfence discovered the flaw in early December last year, and reported it to the developers.
It carried two major flaws - CVE-2023-6875, and CVE-2023-7027.
The latter is a cross-site scripting (XSS) vulnerability, also present in all versions up to 2.8.7.
By abusing it, hackers can inject arbitrary scripts.
Those using the POST SMTP tool should confirm the plugin is brought to version 2.8.8.
According toBleepingComputer, there are some 150,000 websites running POST SMTP versions older than 2.8.
The other 150,000 are using a newer, but still vulnerable, version.
Since the patch was released, some 100,000 new downloads have been made.
POST SMTP is a free plugin, rated 4.8/5 on the WordPress plugin repository.
Generally speaking, WordPress as awebsite builderis considered safe.
However, there are tens of thousands of free plugins carrying different vulnerabilities.
