An insertion of sensitive information into sent data vulnerability in the WP Gmail SMTP plugin allows an attacker to retrieve embedded sensitive data. The flaw arises because the plugin includes confidential information in outbound communications, exposing it beyond the intended recipients. The impact is that confidential data, such as credentials or private email content, could be accessed by anyone who can monitor the email traffic or the plugin’s output, violating confidentiality guarantees and potentially leading to credential compromise or data leakage. The weakness is identified as CWE‑201.

WordPress sites that use the WP Gmail SMTP plugin from any version through 1.0.7, developed by Inkthemes, are affected. The vulnerability impacts any site that employs a plugin version at or below 1.0.7, regardless of additional configuration.

The CVSS score of 5.8 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation. This vulnerability is not listed in the CISA KEV catalog, implying no known active exploits currently. The likely attack vector is through the plugin’s email sending functionality: any user that can trigger the SMTP sending process may capture the exposed data. No specific privileges are required beyond the ability to use or initiate the plugin, broadening the risk to all sites using the plugin.