Description
The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.
Published: 2025-09-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Enable Pro Extensions
Action: Patch Now
AI Analysis

Impact

The vulnerability in the Post SMTP WordPress plugin is caused by a missing capability check in the update_post_smtp_pro_option_callback function. This flaw allows any authenticated user who has Subscriber-level access or higher to modify plugin settings and enable paid (pro) extensions. The impact is an unauthorized change of configuration, effectively giving attackers the ability to activate commercial features without proper authorization.

Affected Systems

The issue exists in all versions of the Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin up to and including version 3.4.1, which is distributed by the saadiqbal vendor on the WordPress Plugin Repository.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, but the vulnerability can be exploited by any authenticated user with Subscriber or higher role, a fairly common access level in WordPress sites. The very low EPSS score (< 1%) suggests that exploitation likelihood is currently low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the attack does not require remote code execution or special network access, administrators should deploy a patch promptly to prevent unauthorized configuration changes.

Generated by OpenCVE AI on April 21, 2026 at 03:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post SMTP plugin to version 3.4.2 or later.
  • Remove any pro extensions that have been enabled without authorization.
  • Restrict the Subscriber role’s capabilities so it cannot alter plugin settings until the patch is applied.

Generated by OpenCVE AI on April 21, 2026 at 03:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28826 The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.
History

Wed, 03 Sep 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.
Title Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:49.947Z

Reserved: 2025-08-19T23:24:12.546Z

Link: CVE-2025-9219

cve-icon Vulnrichment

Updated: 2025-09-03T13:27:22.832Z

cve-icon NVD

Status : Deferred

Published: 2025-09-03T09:15:34.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses