The vulnerability is a missing authorization flaw that allows attackers to use plugin functionality that should be restricted by access control lists. The flaw is classified as CWE‑862, meaning that authorization controls are not enforced correctly. An attacker who can reach the plugin’s endpoints could perform actions beyond their intended permissions, potentially modifying mail server settings, viewing or altering stored credentials, and misusing the send‑mail capabilities to spread spam or phishing content.

The affected product is the WordPress WP Mailgun SMTP plugin from inkthemes. Versions from the earliest release up through and including 1.0.7 are impacted. Any WordPress installation that has this plugin installed at or below version 1.0.7 is vulnerable.

The CVSS score of 5.3 indicates a medium severity. The EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The flaw is not listed in CISA’s KEV catalogue, further indicating that it has not been widely exploited. The issue likely requires the attacker to be able to trigger the plugin’s administrative REST endpoints, which may be reachable with web authentication or possibly without depending on the site’s configuration. Because no direct mitigation or workaround is provided by the vendor, the risk remains until the plugin is upgraded or access control is tightened.