CVE-2024-13844 identifies a SQL Injection vulnerability in the Post SMTP plugin for WordPress, which supports multiple SMTP services including Gmail SMTP, Office 365, Brevo, Mailgun, and Amazon SES. The vulnerability exists in all versions up to and including 3.1.2 due to insufficient escaping and lack of proper preparation of the 'columns' parameter in SQL queries. This flaw allows authenticated users with administrator privileges to append arbitrary SQL commands to existing queries. Because the injection occurs in a context that does not require user interaction beyond authentication, an attacker can extract sensitive data from the WordPress database, compromising confidentiality. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS 3.1 base score is 4.9 (medium), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and impact limited to confidentiality. No patches or known exploits have been reported at the time of publication. The plugin's widespread use in WordPress sites makes this a relevant threat vector for website administrators and organizations relying on this plugin for SMTP email delivery and logging.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database, including potentially user data, configuration details, and email logs. Since the attacker must have administrator-level access, the risk is elevated in environments where administrator credentials are compromised or shared insecurely. Exploitation does not affect data integrity or availability but can lead to significant privacy breaches and data leakage. Organizations relying on the Post SMTP plugin for critical email functions may face compliance and reputational risks if sensitive data is exposed. The vulnerability could also be leveraged as part of a broader attack chain if attackers use extracted data to escalate privileges or pivot to other systems. Given the plugin's integration with major email services, compromised data could include email routing and logging information, which may aid further attacks or espionage.

1. Immediately restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 2. Monitor database query logs for unusual or unexpected SQL commands that could indicate exploitation attempts. 3. Implement web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'columns' parameter in the plugin's requests. 4. Regularly audit and review plugin usage and permissions within WordPress to ensure minimal privilege principles are enforced. 5. Backup WordPress databases frequently and securely to enable recovery in case of data compromise. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 7. Consider temporarily disabling or replacing the plugin with alternative SMTP solutions if immediate patching is not feasible. 8. Educate administrators about the risks of SQL injection and the importance of secure credential management.