The Post SMTP plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the handle_office365_oauth_redirect() function, which is hooked to admin_init without verifying user capabilities or nonces. This allows authenticated users with low privileges (Subscriber and above) to modify Office 365 OAuth configuration settings, including access tokens, refresh tokens, and user email, by sending a crafted URL. This configuration is used during the Microsoft365 SMTP wizard setup, which is only available in the Pro version of the plugin. Exploitation could cause an administrator to unknowingly connect the plugin to an attacker-controlled Azure application, potentially compromising email delivery settings. The vulnerability affects all versions up to and including 3.8.0. A patch is available to fix this issue.

An attacker with Subscriber-level access or higher can overwrite critical Office 365 OAuth configuration settings in the plugin, potentially redirecting email delivery through attacker-controlled credentials. This could lead to unauthorized control over email sending capabilities configured via the plugin, misleading administrators during setup and possibly enabling further attacks on email infrastructure. There is no indication of impact on confidentiality or availability, but integrity of email configuration is compromised.

A patch is available for this vulnerability. Users of the Post SMTP plugin should update to the fixed version beyond 3.8.0 as soon as possible to prevent unauthorized modification of Office 365 OAuth settings. Until patched, restrict plugin access to trusted users only and monitor for suspicious configuration changes. No vendor advisory content contradicts these recommendations.