What the vulnerability does
01Description
The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.
Explanation of Vulnerability in Simple Terms
02Summary
WP Mail Gateway versions 1.8 and earlier lack proper authorization checks, allowing authenticated users with low privileges to read sensitive data, modify site content, or disrupt service. An attacker needs only a standard user account to exploit this vulnerability. Site administrators should update immediately to a version newer than 1.8.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify content, or disrupt the site's mail gateway functionality.
Potential impact on your site
04Site Impact
Any registered user can access or modify mail gateway settings and data intended for administrators only.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the WordPress site.
Key dates
06Disclosure timeline
May 2, 2026
CVE published
May 4, 2026
Record updated