CVE-2026-32519 CRITICAL

CVE-2026-32519: WordPress Bit SMTP plugin <= 1.2.2 - Broken Authentication vulnerability

Vendor Bit Apps
Product Bit SMTP
Weakness CWE-266
Published March 25, 2026
Last update April 29, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2.

Explanation of Vulnerability in Simple Terms

02Summary

Bit SMTP versions up to 1.2.2 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service availability. The attack requires network access and high technical complexity but does not require authentication or user interaction. The vulnerability affects the entire system scope, making it a critical risk for any site using this component.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt service availability without authentication.

Potential impact on your site

04Site Impact

Attackers can compromise confidentiality, integrity, and availability of your site without needing valid credentials.

Conditions required to exploit

05Prerequisites

Network access and high technical complexity to exploit; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 25, 2026 CVE published
April 29, 2026 Record updated

Related vulnerabilities

08Related CVE