CVE-2024-3073

EPSS 0.25%
Veröffentlicht 13.06.2024 09:15:13
Zuletzt bearbeitet 08.04.2026 19:21:15
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Easy WP SMTP by SendLayer <= 2.3.0 - Exposure of Sensitive Information via the UI

The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.

Mögliche Gegenmaßnahme

Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more: Update to version 2.3.1, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more

Version *-2.3.0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wp-ecommerce ≫ Easy Wp Smtp SwPlatformwordpress Version < 2.3.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.487

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CWE-257 Storing Passwords in a Recoverable Format

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3101553%40easy-wp-smtp&new=3101553%40easy-wp-smtp&sfp_email=&sfph_mail=

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/b043197c-4477-4663-abb8-5840173c574d?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b043197c-4477-4663-abb8-5840173c574d

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-3073

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3073

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3073

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-3073