Description
The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.
Published: 2026-05-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Mail Gateway WordPress plugin is vulnerable due to a missing capability check on the wmg_save_provider_config AJAX action in all releases up to version 1.8. This flaw allows an authenticated user with Subscriber-level access or higher to alter the plugin’s SMTP settings. By changing these settings, the attacker can redirect outgoing emails, such as password reset notices, to capture credentials and thereby gain administrative access to the site. The vulnerability is a missing authorization flaw (CWE‑862) that can be used for privilege escalation.

Affected Systems

WordPress sites running the WP Mail Gateway plugin, versions up to and including 1.8, are impacted. Users of the plugin should verify the current version and consider updating to the latest release that addresses the authorization check.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity, while the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated, but only a subscriber or higher role is required, suggesting the exploit vector is via normal authenticated access to the WordPress site. The lack of a capability check makes the exploitation straightforward for any user who can log in to the dashboard or access the AJAX endpoint.

Generated by OpenCVE AI on May 2, 2026 at 10:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Mail Gateway to the latest version which includes a proper capability check on the wmg_save_provider_config AJAX action.
  • Use a role‑management plugin or custom capability code to remove the ability for Subscriber and other non‑administrator roles to modify SMTP settings, ensuring only administrators retain that privilege.
  • Review all existing WordPress user accounts, identify any with Subscriber or higher roles that possess SMTP configuration permissions, and revoke those permissions to eliminate unnecessary access.

Generated by OpenCVE AI on May 2, 2026 at 10:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.
Title WP Mail Gateway <= 1.8 - Missing Authorization to Authenticated (Subscriber+) SMTP Configuration Modification via 'wmg_save_provider_config' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T04:27:45.687Z

Reserved: 2026-04-24T15:46:42.755Z

Link: CVE-2026-6963

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T05:16:01.250

Modified: 2026-05-02T05:16:01.250

Link: CVE-2026-6963

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses