CVE-2023-5673
📋 TL;DR
The WP Mail Log WordPress plugin before version 1.1.3 fails to properly validate file extensions when uploading attachments to emails, allowing attackers to upload PHP files. This vulnerability enables remote code execution on affected WordPress sites. All WordPress installations using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP Mail Log WordPress plugin
📦 What is this software?
Wp Mail Log by Wpvibes
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress server, allowing them to execute arbitrary code, steal data, install backdoors, or pivot to other systems.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or deploy malware for further attacks.
If Mitigated
With proper file upload restrictions and web application firewalls, exploitation attempts are blocked and logged.
🎯 Exploit Status
Exploitation requires access to the email attachment upload functionality, which typically requires some level of authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.3
Vendor Advisory: https://wpscan.com/vulnerability/231f72bf-9ad0-417e-b7a0-3555875749e9
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Mail Log plugin. 4. Click 'Update Now' if available, or download version 1.1.3+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable WP Mail Log plugin
allTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate wp-mail-log
Restrict PHP file uploads via .htaccess
linuxBlock PHP file uploads at the web server level.
<FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Implement strict file upload validation at the application level
- Deploy a web application firewall (WAF) with file upload protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WP Mail Log version. If version is below 1.1.3, system is vulnerable.Check Version:
wp plugin get wp-mail-log --field=versionVerify Fix Applied:
Verify WP Mail Log plugin version is 1.1.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory
- PHP file uploads via email attachment endpoints
- Web server logs showing POST requests to wp-mail-log upload handlers
Network Indicators:
- HTTP POST requests with PHP file uploads to WordPress admin endpoints
- Unusual outbound connections from WordPress server after file upload
SIEM Query:
source="web_server" AND (uri_path="*wp-mail-log*" AND method="POST" AND file_extension="php")