Description
Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2.
Published: 2026-03-25
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Bit SMTP plugin for WordPress contains an incorrect privilege assignment flaw (CWE‑266). This vulnerability permits an attacker who gains any level of access to the WordPress site to elevate privileges beyond those originally granted. The attacker could then modify site configuration, view restricted content, or execute arbitrary code, effectively taking full control of the WordPress environment.

Affected Systems

Bit Apps Bit SMTP plugin for WordPress is the affected product. All installations running version 1.2.2 or earlier are vulnerable. No further version details are specified.

Risk and Exploitability

The CVSS score of 9.0 indicates a high severity impact, while the EPSS score below 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog. Based on the description it is inferred that an attacker would need some access to a WordPress instance and to the plugin’s administrative interface; once authenticated, the misassigned privilege can be leveraged to elevate to administrator rights. The likely attack vector is remote privilege escalation via the plugin interface, with minimal prerequisites beyond possession of a legitimate WordPress account or the ability to interact with the site.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Bit SMTP plugin to a version newer than 1.2.2 as soon as a vendor patch is released.
  • If no update is available, disable or uninstall the plugin entirely to eliminate the attack surface.
  • Reduce the WordPress account privileges to the minimum required, following the principle of least privilege.
  • Monitor WordPress logs and security events for any suspicious activity that may indicate privilege‑escalation attempts.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bitapps
Bitapps bit Smtp
Wordpress
Wordpress wordpress
Vendors & Products Bitapps
Bitapps bit Smtp
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2.
Title WordPress Bit SMTP plugin <= 1.2.2 - Broken Authentication vulnerability
Weaknesses CWE-266
References

Subscriptions

Bitapps Bit Smtp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T14:57:15.903Z

Reserved: 2026-03-12T11:12:19.946Z

Link: CVE-2026-32519

cve-icon Vulnrichment

Updated: 2026-03-26T14:56:10.550Z

cve-icon NVD

Status : Received

Published: 2026-03-25T17:17:04.633

Modified: 2026-03-26T15:16:37.640

Link: CVE-2026-32519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:46Z

Weaknesses