Vulnerabilities and security researches forwp-mail-logging wp-mail-logging

Jun 07, 2024

CVE, Research URL: CVE-2021-38314
Home page URL: Security reports for WP Mail Logging
Application: WP Mail Logging
Date: Sep 02, 2021
Research Description: The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-3081
Home page URL: Security reports for WP Mail Logging
Application: WP Mail Logging
Date: Jul 12, 2023
Research Description: The WP Mail Logging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 1.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: An incomplete fix was released in 1.11.1.
Affected versions: Min -, max -.
Status: vulnerable