Could enable a global attack
Sıla Özeren, security research engineer at Picus Security, added that the security hole in this plugin doesn’t merely threaten the company using it, but it mostly enables a launching point for a global attack.
“What makes [this hole] especially alarming is its chain potential: Once a WordPress instance is hijacked, attackers can inject scripts that steal credentials from visitors, plant SEO spam for monetization, or pivot into hosting infrastructure. A single misconfigured site can quickly become a node in a global attack network,” Özeren said. “It’s proof that the smallest coding omission can have the widest blast radius.”
The hole, Özeren said, is “a textbook case of Broken Access Control, the top-ranked web application weakness in OWASP’s Top 10. The missing capability check in the plugin’s PostmanEmailLogs constructor, a single unguarded function, is enough to compromise confidentiality, integrity, and availability in one step.”