A WordPress plugin, used on over 300k websites, was found to contain vulnerabilities that could allow hackers to gain control. The two flaws, identified by security researchers Ulyses Saicha and Sean Murphy at Wordfence, were discovered in the POST SMTP Mailer plugin.

Katie Paxton-Fear, API Security Researcher at Traceable AI, says, “This is a really interesting two-in-one bug. The first is a typical XSS, as input from the user is reflected onto the page and can be injected with Javascript, the second is a type of token generation issue.

In cryptography, a nonce is a random number that prevents a successful login from being replayed. So, think about your car, if you have an older car you can record the signal from your keys, and then when you replay it you can unlock the car. If you’re an attacker you just need to wait in a carpark until someone beeps your car.

A nonce says ‘woah you need the signal but also add the current time.’ That way you can’t replay it because the time will be wrong. The problem comes by saying, ‘well what if you just change the time to be the current time rather than the one you recorded?’ Exactly. The nonce is predictable. This is what happened here.

If you take a look at the code as the auth_key is the same as our nonce then we do stuff, but on line 91 we can see we delete the nonce, fine right? Well our nonce is now just an empty string, and all we need to do is set the auth_key to be empty too and oops we now generate a valid fcm_token, granting us access.”