Description
The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SMTP2GO for WordPress – Email Made Easy plugin lacks proper authorization checks for log operations, allowing authenticated users with subscriber-level access or higher to view all SMTP log entries or truncate them entirely. This grants attackers access to sensitive information such as recipients, senders, message subjects, and API responses, and can erase audit trails, impacting confidentiality and integrity of logging data.

Affected Systems

WordPress sites running the SMTP2GO for WordPress – Email Made Easy plugin version 1.16.0 or older. No other product or vendor versions are stated as affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate risk. EPSS is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated attacker with at least subscriber privileges; the plugin does not restrict log read or delete actions to higher roles, enabling the attack vector described.

Generated by OpenCVE AI on May 28, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SMTP2GO for WordPress – Email Made Easy plugin to version 1.16.1 or newer
  • Restrict or revoke subscriber‑level and higher user roles from the site until the plugin is updated if an immediate upgrade is not possible
  • After patching, audit existing public SMTP logs and verify that log export functionality is properly restricted

Generated by OpenCVE AI on May 28, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.
Title SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:34:23.935Z

Reserved: 2026-05-01T13:31:23.314Z

Link: CVE-2026-7621

cve-icon Vulnrichment

Updated: 2026-05-28T10:34:17.693Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T08:16:36.863

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-7621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses