What the vulnerability does
01Description
Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects Ultimate WP Mail: from n/a through <= 1.3.5.
CVE-2025-49288
HIGH
CVE-2025-49288: WordPress Ultimate WP Mail plugin <= 1.3.5 - Account Takeover via Email Log Leak Vulnerability
CVSS base score
8.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Explanation of Vulnerability in Simple Terms
02Summary
Ultimate WP Mail versions 1.3.5 and earlier lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or delete email data and configurations. An attacker with a basic user account can access sensitive email settings and message content without restriction. This affects all installations running the vulnerable version range.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete email data and settings with a low-privilege user account.
Potential impact on your site
04Site Impact
Any registered user can access and manipulate email functionality and data, risking data loss and unauthorized email operations.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
June 6, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2026-23977 WordPress Helpdesk Support Ticket System for WooCommerce plugin <= 2.1.2 - Broken Access Control vulnerability
CVE-2024-12028 Friends <= 3.2.1 - Missing Authorization
CVE-2022-38684
CVE-2022-42479 WordPress Soledad premium theme <= 8.2.5 - Broken Access Control vulnerability
CVE-2023-29239 WordPress LuckyWP Scripts Control plugin <= 1.2.1 - Broken Access Control vulnerability
