cleantalk
Vulnerabilities and Security Researches

WP SMTP, CVE-2024-1789

CVE, Research URL

CVE-2024-1789

Home page URL

Security reports for WP SMTP

Application

WP SMTP

Published on
Apr 26, 2024
Research Description
The WP SMTP plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in versions 1.2 to 1.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
Min -, max 1.2.7.
Status
vulnerable
Previous vulnerability researches
WP SMTP (CVE-2024-1789) , Jun 07, 2024
WP SMTP (CVE-2025-1123) , May 24, 2025
Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin (CVE-2022-42699) , Jun 07, 2024
Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin (CVE-2019-25141) , Jun 07, 2024
Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin (CVE-2020-35234) , Jun 07, 2024
New vulnerability
Staggs – Product configurator for WooCommerce (CVE-2025-47637) , May 24, 2025
Additional Custom Emails for WooCommerce (CVE-2025-48251) , May 24, 2025
WP SMTP (CVE-2025-1123) , May 24, 2025
Bot for Telegram on WooCommerce (CVE-2025-48268) , May 24, 2025
WP Image Mask (CVE-2025-48235) , May 23, 2025