CVE-2024-3073: CWE-257 Storing Passwords in a Recoverable Format in smub Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.
AI Analysis
Technical Summary
The Easy WP SMTP plugin for WordPress versions up to 2.3.0 stores and displays the SMTP password in a recoverable plaintext format within the plugin's settings page. This information exposure vulnerability (CWE-257) allows users with administrative-level access to retrieve the SMTP password, potentially aiding further attacks if an administrator account is compromised. The CVSS 3.1 base score is 2.7, reflecting low impact due to the requirement of high privileges and no direct impact on integrity or availability. A patch is available to remediate this vulnerability.
Potential Impact
An authenticated attacker with administrative privileges can view the SMTP password in plaintext. While this does not directly compromise the system, it could facilitate further attacks if the administrator account is compromised. There is no known exploitation in the wild. The confidentiality impact is limited to the exposure of the SMTP password; integrity and availability are not affected.
Mitigation Recommendations
A patch is available for this vulnerability and should be applied to upgrade the Easy WP SMTP plugin to a fixed version. Until patched, restrict administrative access to trusted users only. No additional vendor advisory details are provided, so check the plugin's official update channels for the patch.
CVE-2024-3073: CWE-257 Storing Passwords in a Recoverable Format in smub Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more
Description
The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Easy WP SMTP plugin for WordPress versions up to 2.3.0 stores and displays the SMTP password in a recoverable plaintext format within the plugin's settings page. This information exposure vulnerability (CWE-257) allows users with administrative-level access to retrieve the SMTP password, potentially aiding further attacks if an administrator account is compromised. The CVSS 3.1 base score is 2.7, reflecting low impact due to the requirement of high privileges and no direct impact on integrity or availability. A patch is available to remediate this vulnerability.
Potential Impact
An authenticated attacker with administrative privileges can view the SMTP password in plaintext. While this does not directly compromise the system, it could facilitate further attacks if the administrator account is compromised. There is no known exploitation in the wild. The confidentiality impact is limited to the exposure of the SMTP password; integrity and availability are not affected.
Mitigation Recommendations
A patch is available for this vulnerability and should be applied to upgrade the Easy WP SMTP plugin to a fixed version. Until patched, restrict administrative access to trusted users only. No additional vendor advisory details are provided, so check the plugin's official update channels for the patch.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-03-28T22:32:59.632Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c8cb7ef31ef0b566254
Added to database: 2/25/2026, 9:41:32 PM
Last enriched: 4/9/2026, 7:27:24 AM
Last updated: 4/12/2026, 7:55:20 AM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.