CVE-2026-6963
The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.
View on NVDAnalysis
The WP Mail Gateway plugin for WordPress allows authenticated subscribers to hijack SMTP settings and escalate privileges by intercepting password resets. While the impact is severe for affected sites, this is a niche plugin with a small install base and does not represent a systemic risk to the broader developer community.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCWE-862EPSS
Technical description
The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.
References
- https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Bootstrap.php#L47
- https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Functions.php#L111
- https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Bootstrap.php#L47
- https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Functions.php#L111
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3515205%40wp-mail-gateway&new=3515205%40wp-mail-gateway&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c7caf1f4-a8dd-4016-91eb-2adbeed5290a?source=cve