CVE-2025-6993
Ultimate WP Mail 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Ultimate WP Mail 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function
The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the get_email_log_details() AJAX handler in versions 1.0.17 to 1.3.6. The handler reads the client-supplied post_id and retrieves the corresponding email log post content (including the password-reset link), relying only on the ‘edit_posts’ capability without restricting to administrators or validating ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to harvest an admin’s reset link and elevate their privileges to administrator.
Reserved 2025-07-01 | Published 2025-07-16 | Updated 2025-07-16 | Assigner Wordfence| 2025-07-15: | Disclosed |
Kenneth Dunn
www.wordfence.com/...-b623-4017-bd91-73986383c58b?source=cve
wordpress.org/plugins/ultimate-wp-mail/
plugins.trac.wordpress.org/.../1.3.6/includes/Ajax.class.php
plugins.trac.wordpress.org/changeset/3328277
Support options
