Can you explain this vulnerability to me?

The Gravity SMTP plugin for WordPress up to version 2.1.4 has a vulnerability that allows sensitive information exposure. This happens because a REST API endpoint (/wp-json/gravitysmtp/v1/tests/mock-data) has a permission callback that always returns true, meaning anyone can access it without authentication.

When the query parameter ?page=gravitysmtp-settings is added, the plugin returns a large JSON response (about 365 KB) containing a full System Report. This report includes detailed system configuration data such as PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with their versions, active theme, WordPress configuration details, database table names, and any API keys or tokens configured in the plugin.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow unauthenticated attackers to retrieve detailed and sensitive system information from your WordPress site. Exposure of such information can aid attackers in crafting targeted attacks, exploiting other vulnerabilities, or gaining unauthorized access.

• Disclosure of PHP version and loaded extensions could reveal exploitable software versions.
• Exposure of web server version and document root path can help attackers understand the server environment.
• Revealing database server type, version, and table names can facilitate database attacks.
• Listing all active plugins and their versions may expose known plugin vulnerabilities.
• Exposure of API keys and tokens can lead to unauthorized use of integrated services.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the REST API endpoint /wp-json/gravitysmtp/v1/tests/mock-data is accessible without authentication and returns a large JSON response containing detailed system information.

A simple way to test this is to send an HTTP GET request to the endpoint with the query parameter ?page=gravitysmtp-settings appended and observe if sensitive system data is returned.

Example command using curl to detect the vulnerability:

• curl -s -k https://your-wordpress-site.com/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings

If the response contains a large JSON payload (~365 KB) with system configuration details such as PHP version, WordPress version, active plugins, and API keys, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Gravity SMTP plugin to version 2.1.5 or later, as this version includes security enhancements that address this vulnerability.

If updating immediately is not possible, restrict access to the vulnerable REST API endpoint by implementing firewall rules or web server configurations to block unauthenticated access to /wp-json/gravitysmtp/v1/tests/mock-data.

Additionally, review and remove any sensitive API keys or tokens stored in the plugin configuration until the update is applied.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated attackers to access detailed system configuration data, including API keys and tokens, which constitutes sensitive information exposure.

Such exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

By allowing unrestricted access to internal system and configuration details, this vulnerability undermines the confidentiality and security controls mandated by these standards.

Useful 0 Not Useful 0