VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 28, 2026

CVE-2026-7621

CVE-2026-7621

Description

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Subscriber-level users can delete all SMTP2GO logs or download a CSV of sensitive email metadata due to missing capability checks.

Vulnerability

The SMTP2GO for WordPress – Email Made Easy plugin versions up to and including 1.16.0 contain missing authorisation checks on the truncateLogs and downloadLogs methods in WordpressPluginAdmin.php [1][2]. Older versions (e.g., 1.14.0) lack any current_user_can check, while later versions still only verify manage_options which is insufficient [3][4]. These handlers are accessible via WordPress admin AJAX or direct page loads without proper capability verification. Versions 1.14.0 and earlier have no access control; versions after that up to 1.16.0 still allow any authenticated user with subscriber-level access to reach the functions [1][2].

Exploitation

An attacker with a valid WordPress subscriber account can visit the admin page that triggers truncateLogs or downloadLogs without being blocked [1][2]. The functions do not call current_user_can('manage_options') before executing the database query (in older versions) or a nonce check that can be bypassed with any valid user session [2][3]. No special privileges beyond a subscriber login are required.

Impact

Successful exploitation allows an attacker to: (1) truncate all records from the smtp2go_api_logs table, permanently deleting all SMTP2GO log entries [1][2]; or (2) download a CSV file containing all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data [1][2]. This leads to loss of sensitive information (recipient/sender email addresses and subjects) for the first action and possible information disclosure for the second. The attacker does not gain code execution or full site compromise.

Mitigation

No patch has been released as of the publication date (2026-05-28). The vendor has not issued a fix or advisory for any version up to 1.16.0. Site administrators should limit access to subscriber accounts or disable the SMTP2GO plugin until a patched version is released. A possible workaround is to add custom code in a child theme or a separate plugin that checks current_user_can('manage_options') before the vulnerable actions execute.

References

[1]: https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPluginAdmin.php#L75 [2]: https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPluginAdmin.php#L85 [3]: https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPluginAdmin.php#L85 [4]: https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPluginAdmin.php#L75

References
  1. https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPluginAdmin.php#L75
  2. https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPluginAdmin.php#L85
  3. https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPluginAdmin.php#L85
  4. https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPluginAdmin.php#L75

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing authorization check in AJAX handlers allows any authenticated user to trigger log truncation or log export."

Attack vector

An authenticated attacker with subscriber-level access or higher can craft a request to the WordPress admin AJAX endpoint that triggers either `truncateLogs()` or `downloadLogs()`. The methods check for the `manage_options` capability and a nonce, but the AJAX hooks that route to these methods are not protected by a capability check before the method is reached. This allows the attacker to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data, including recipient addresses, sender addresses, message subjects, and API response data [ref_id=1].

Affected code

The vulnerable methods are `truncateLogs()` and `downloadLogs()` in the `WordpressPluginAdmin` class (file `app/WordpressPluginAdmin.php`). Both methods check `current_user_can('manage_options')` and a nonce, but the AJAX actions that invoke them are registered without a capability check, allowing any authenticated user (including subscriber-level) to call them.

What the fix does

The advisory does not include a patch diff, but the remediation would require adding proper capability checks (e.g., `current_user_can('manage_options')`) in the AJAX handler registration or within the `truncateLogs()` and `downloadLogs()` methods before any action is taken. The nonce check alone is insufficient because the nonce can be obtained by any authenticated user who visits the relevant admin page.

Preconditions

  • authAttacker must have a valid WordPress user account with at least subscriber-level privileges.
  • configThe SMTP2GO plugin must be installed and active.
  • networkAttacker must be able to send HTTP requests to the WordPress admin AJAX endpoint.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.