CVE-2024-13844 – The Post SMTP WordPress plugin contains a SQL i... (How to Fix)

Q: What is the severity of CVE-2024-13844?

CVE-2024-13844 has a CVSS score of 4.9 (MEDIUM). The Post SMTP WordPress plugin contains a SQL injection vulnerability in the 'columns' parameter that allows authenticated administrators to execute arbitrary SQL queries. This can lead to sensitive database information disclosure. Only WordPress sites using Post SMTP plugin versions up to 3.1.2 are affected.

📋 TL;DR

The Post SMTP WordPress plugin contains a SQL injection vulnerability in the 'columns' parameter that allows authenticated administrators to execute arbitrary SQL queries. This can lead to sensitive database information disclosure. Only WordPress sites using Post SMTP plugin versions up to 3.1.2 are affected.

💻 Affected Systems

Products:

Post SMTP Mailer/Email Log (WordPress plugin)

Versions: All versions up to and including 3.1.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated administrator access to exploit. WordPress multisite installations with administrator privileges are also affected.

📦 What is this software?

Post Smtp by Wpexperts

View all CVEs affecting Post Smtp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator-level attackers could extract all database contents including user credentials, sensitive configuration data, and potentially gain full database control.

🟠

Likely Case

Malicious administrators or compromised admin accounts could extract user data, email configurations, and other sensitive information from the database.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized administrators who already have significant system access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials. Public proof-of-concept code exists in GitHub gists and security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.3 and later

Vendor Advisory: https://wordpress.org/plugins/post-smtp/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Post SMTP Mailer/Email Log. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.1.3+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the Post SMTP plugin until patched

wp plugin deactivate post-smtp

Access Restriction

all

Restrict administrator account access and implement strong authentication controls

🧯 If You Can't Patch

Implement strict access controls for administrator accounts and monitor for suspicious activity
Deploy web application firewall rules to block SQL injection patterns in POST requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Post SMTP Mailer/Email Log → Version. If version is 3.1.2 or lower, you are vulnerable.

Check Version:

wp plugin get post-smtp --field=version

Verify Fix Applied:

Verify plugin version is 3.1.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in WordPress debug logs
Multiple POST requests to /wp-admin/admin-ajax.php with 'columns' parameter containing SQL syntax

Network Indicators:

POST requests containing UNION, SELECT, or other SQL keywords in parameters
Unusual database query patterns from WordPress application

SIEM Query:

source="wordpress.log" AND "columns" AND ("UNION" OR "SELECT" OR "FROM" OR "WHERE")

📊 Metadata

CVE ID: CVE-2024-13844

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.18% exploit probability (39.4th percentile)

Published: March 8, 2025

Last Updated: March 13, 2025

🔗 References

https://gist.github.com/nhienit2010/d4692062f54b89e16aa068a0ef142cf6#file-postmanemailquerylog-php-L314 Product
https://plugins.trac.wordpress.org/changeset/3249371/ Patch
https://wordpress.org/plugins/post-smtp/#developers Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/0540f70d-009a-4776-8717-f096e30a11d3?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13844, you might also want to check these: