CVE-2026-4162

The Gravity SMTP plugin for WordPress, up to and including version 2.1.4, is vulnerable to a Missing Authorization flaw. The plugin fails to properly verify that a user is authorized to perform administrative actions, such as uninstalling or deactivating the plugin and deleting its options. This issue stems from insufficient capability checks on the affected endpoints, allowing lower-privileged users to trigger destructive operations.

Exploitation requires an authenticated account with at least subscriber-level access, which is trivial for attackers who have obtained credentials or via self-registration on sites that allow it. Additionally, the vulnerability is also exploitable via a Cross-Site Request Forgery (CSRF) vector, meaning an attacker could trick a logged-in administrator into unknowingly performing the unauthorized actions, broadening the attack surface without needing direct authentication [1].

An attacker successfully exploiting this flaw can uninstall or deactivate the Gravity SMTP plugin, disrupting email sending from the WordPress site. More critically, they can delete plugin options, potentially breaking site functionality or hiding evidence of compromise. Since SMTP settings involve credentials for email services, the ability to delete options might also be leveraged to disrupt configured mail connections, causing email delivery failures.

The vendor released version 2.1.5 on April 10, 2026, which includes the necessary authorization checks to fix this vulnerability. All users are strongly advised to update immediately [1]. No workaround other than updating has been identified, and the vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.