The vulnerability allows an attacker to bypass access restrictions by exploiting a missing authorization check in the WordPress SendGrid for WordPress plugin. It gives the attacker the ability to perform privileged plugin operations, compromising the integrity of the site content or configuration. The weakness is a classic broken access control flaw (CWE-862).

Smackcoders Inc. publishes the SendGrid for WordPress (wp-sendgrid-mailer) plugin. Versions from the initial release up through and including 1.4 are affected. No specific sub‑versions are singled out, so any install of the plugin where the current version is 1.4 or older is vulnerable if it is loaded in a WordPress site.

The likely attack vector is through HTTP endpoints exposed by the plugin, but this is inferred from the description because the exact method is not specified. The CVSS score of 4.3 indicates medium severity and the EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability is not listed in CISA KEV. Because the flaw relies on a missing authorization layer, it can be exploited from any user with access to the WordPress admin area, or potentially any site visitor if the plugin’s administrative endpoints are publicly reachable. This means attackers can gain privileges without needing credentials beyond a valid session or even without authentication if the endpoints are exposed. The impact is limited to the scope of the protected actions inside the plugin, but it can allow manipulation of email configurations, potentially altering email delivery or exposing internal data.