The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access control levels within the Saad Iqbal Post SMTP plugin. Because the plugin does not properly verify a user’s permissions before processing requests, an attacker who can reach the plugin’s endpoints could potentially trigger actions reserved for privileged users, such as sending arbitrary emails or changing plugin settings. No direct evidence of code execution or data exfiltration is stated, but the lack of access checks exposes the site to unauthorized operations.

All installations using Saad Iqbal Post SMTP, from the initial release through version 3.6.1, are affected. The issue applies to every WordPress site that has this plugin installed and active, regardless of the hosting environment.

The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1% shows that the likelihood of this vulnerability being actively exploited in the wild is very low at present, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be local or authenticated through the plugin’s administrative interface, because the flaw arises from missing authorization checks on plugin routes. Consequently, while the potential consequences include unauthorized access to the plugin’s features, the overall risk to the system remains moderate, and exploitation would likely require the attacker to have a feasible way into the site or a legitimate user account that performs plugin actions.