This alert may not be shared outside your organization, Do Not Repost or send, place on other websites, List servers, or send to others via email, including other associations or parties.  Members and Law enforcement use only. Contact us for any permissions.  To do otherwise will result in the loss of membership.

Complete Story


Critical flaw found in WordPress plugin used on over 300,000 websites


A WordPress plugin used on over 300,000 websites has been found to contain vulnerabilities that could allow hackers to seize control.

Security researchers at Wordfence found two critical flaws in the POST SMTP Mailer plugin.

The first flaw made it possible for attackers to reset the plugin's authentication API key and view sensitive logs (including password reset emails) on the affected website.

A malicious hacker exploiting the flaw could access the key after triggering a password reset. The attacker could then log into the site, lock out the legitimate user, and exploit their access to cause all kinds of mayhem - including publishing unauthorised content, linking to malicious webpages, or planting backdoors.

The second flaw in the plugin allowed hackers to inject malicious scripts into webpages.

Wordfence's researchers contacted the developers of the POST SMTP Mailer plugin about the first flaw on December 8 2023, and on the same day provided proof-of-concept code which demonstrated how it could be exploited.


Printer-Friendly Version



The FRPA alert system distinguishes us from other groups by gathering and providing information to law enforcement, retailers AND financial institutions.

more information


Your electronic library to help in fighting financial fraud for all of our partners.

more information