CVE-2023-50844

Vulnerability

The WordPress plugin Mail logging – WP Mail Catcher (slug: wp-mail-catcher) is vulnerable to SQL injection in versions from n/a through 2.1.3 as reported in CVE-2023-50844. This improper neutralization of special elements used in an SQL command occurs because input is not properly sanitized before being used in database queries. The vulnerability exists in the core SQL construction logic of the plugin. Versions 2.1.4 and later are patched, with the current stable version being 2.1.12 as of the reference [1].

Exploitation

An attacker can exploit this vulnerability without requiring any authentication, as the vulnerable code paths are reachable for unauthenticated users. Specifically, the plugin logs all outbound emails to the database, and unsanitized input from HTTP request parameters can be injected into SQL queries. The attacker needs only network access to a WordPress instance running a vulnerable version of the plugin. No user interaction beyond normal site access is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the WordPress database. This can lead to full disclosure of the database contents, including sensitive information such as user passwords and hashes, as well as potential data modification or deletion. Given that the database underpins the entire WordPress site, this represents a high-severity information disclosure and integrity compromise.

Mitigation

The vulnerability has been fixed in version 2.1.4 of the plugin, released on 2024-01-15 per the plugin changelog referenced in the WordPress.org plugin API [1]. Users must update to version 2.1.4 or later (current is 2.1.12). There is no viable workaround as the logging functionality inherently processes user-controlled data. No known exploitation in the wild (KEV) has been reported.