SendGrid for WordPress <= 1.4 - Missing Authorization to Authenticated (Subscriber+) Log Deletion

Vulnerability

The SendGrid for WordPress plugin (wp-sendgrid-mailer) in all versions up to and including 1.4 contains a missing capability check in the wp_mailplus_clear_logs function registered via wp_ajax_ [1][2]. This function, intended for administrators to clear plugin logs, is hooked without verifying the user's role, allowing any authenticated user to trigger it. No current_user_can() check is present, so the AJAX action is accessible to Subscriber-level accounts and above.

Exploitation

An attacker needs only a WordPress account with Subscriber-level access or higher. By sending an authenticated AJAX request to wp_ajax_wp_mailplus_clear_logs, the attacker can invoke the function to delete the plugin's log files. The action does not require any specific nonce validation beyond the standard WordPress AJAX handling, and there is no check for administrative privileges. The attacker simply crafts a POST request to the WordPress admin-ajax endpoint with the action parameter.

Impact

Successful exploitation results in unauthorized loss of log data. The attacker can delete all log files that the plugin has generated, which may contain records of email delivery attempts, errors, or other debugging information. This could disrupt troubleshooting efforts and hide evidence of malicious activity. The impact is limited to log deletion; no code execution, privilege escalation, or data exfiltration is achieved.

Mitigation

No patched version exists. The plugin has been closed and removed from the WordPress.org plugin directory as of October 16, 2024, citing a security issue [3]. Users must immediately uninstall the plugin and switch to an alternative SendGrid integration. There is no workaround, and the plugin is effectively end-of-life.