What the vulnerability does
01Description
The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.
Explanation of Vulnerability in Simple Terms
02Summary
Post SMTP versions up to 3.4.1 lack proper authorization checks, allowing authenticated users with low privileges to modify email settings or configuration. An attacker with a basic user account can change SMTP parameters, potentially redirecting outgoing mail or disrupting email delivery. The vulnerability requires login access but no special role or capability.
What an attacker can do
03Attacker Capabilities
Modify SMTP settings or email configuration without proper authorization.
Potential impact on your site
04Site Impact
Email delivery can be disrupted or redirected by any logged-in user, compromising site communications.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
September 3, 2025
CVE published
April 8, 2026
Record updated
