WP Mail Gateway <= 1.8 - Missing Authorization to Authenticated (Subscriber+) SMTP Configuration Modification via 'wmg_save_provider_config' AJAX Action
Details
CVSS v3
8.8
NVD published
2026-05-02 05:16:01
EPSS
<0.1% probability · 5.8th percentile — 2026-05-12
Affected versions
All versions <= 1.8
Summary
This vulnerability is caused by a missing capability check on the AJAX configuration saving action in the WP Mail Gateway WordPress plugin. Authenticated attackers with as low as Subscriber-level access can modify the plugin's SMTP settings. Attackers can abuse this flaw to intercept password reset emails and escalate privileges to gain administrator access to the site.
Remediation
Update the WP Mail Gateway plugin to a version after 1.8 that patches the missing capability check. Enforce least privilege for user roles on the site to reduce attack risk before patching. Reset all administrator credentials if the vulnerability is confirmed to have been exploited.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.