CVE-2026-4162 - Vulnerability Details

- Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall

Description

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.

Published: 2026-04-10

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Gravity SMTP plugin fails to perform proper authorization checks for uninstall and deactivate actions. As a result, any authenticated user with the subscriber role or higher can remove the plugin, disable its email sending capability, and delete its stored options. The same flaw allows an attacker to trigger the action via a Cross‑Site Request Forgery vector, potentially without direct interaction with the victim's browser if a malicious link is visited while the user is logged in.

Affected Systems

WordPress sites that have the RocketGenius Gravity SMTP plugin installed in versions 2.1.4 or earlier are vulnerable. Sites running later releases, such as 2.1.5 and above, are not affected.

Risk and Exploitability

The base CVSS score of 7.1 indicates a medium‑to‑high severity vulnerability. An EPSS score is not provided, and the issue is not catalogued by CISA’s KEV list. An attacker can exploit the flaw by logging in with a subscriber or higher account or by sending a crafted CSRF request to a victim who is authenticated. The impact is site‑wide loss of outbound email capability and potential loss of configuration settings, affecting the confidentiality and availability of email communications.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

RocketGenius

Gravity SMTP

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.4

No data.

Vendor Product Confidence Versions

Rocketgenius

Gravity Smtp

100%

Version	Status	Scheme	Platform
`[0,2.1.4]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Gravity SMTP plugin to version 2.1.5 or later.
If an upgrade cannot be performed immediately, use a role editor or custom code to revoke uninstall capabilities for subscriber and lower roles.
Monitor WordPress logs for unexpected plugin uninstall or deactivation events.
Consider disabling the Uninstall functionality via plugin settings until the patch is applied.

Generated by OpenCVE AI on April 10, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/
https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve

History

Mon, 13 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rocketgenius Rocketgenius gravity Smtp Wordpress Wordpress wordpress
Vendors & Products		Rocketgenius Rocketgenius gravity Smtp Wordpress Wordpress wordpress

Fri, 10 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.
Title		Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall
Weaknesses		CWE-862
References		https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/ https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

Rocketgenius Gravity Smtp

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-10T09:25:56.478Z

Updated: 2026-04-13T15:15:09.053Z

Reserved: 2026-03-13T22:45:31.558Z

Link: CVE-2026-4162

Vulnrichment

Updated: 2026-04-13T15:11:45.727Z

NVD

Status : Deferred

Published: 2026-04-10T10:16:04.120

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-4162

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:06:10Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object