CVE-2025-54011 MEDIUM

CVE-2025-54011: WordPress SMTP2GO plugin <= 1.12.1 - Broken Access Control Vulnerability

Vendor Smtp2Go
Product SMTP2GO
Weakness CWE-862 · Missing authorization
Published July 16, 2025
Last update May 13, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in SMTP2GO SMTP2GO smtp2go allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMTP2GO: from n/a through <= 1.12.1.

Explanation of Vulnerability in Simple Terms

02Summary

SMTP2GO versions up to 1.12.1 lack proper authorization checks, allowing authenticated users to modify data they should not have access to. An attacker with low-privilege account credentials can alter settings or content without proper permission validation. The vulnerability has low integrity impact and requires valid login credentials to exploit.

What an attacker can do

03Attacker Capabilities

Modify data or settings they should not have permission to change.

Potential impact on your site

04Site Impact

Authenticated users can alter configuration or content beyond their intended access level.

Conditions required to exploit

05Prerequisites

Valid login credentials with low-level account privileges.

Key dates

06Disclosure timeline

July 16, 2025 CVE published
May 13, 2026 Record updated