CVE-2026-7621 | THREATINT

Description

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-28 | Updated 2026-05-28 | Assigner Wordfence

MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status

unaffected

Any version

affected

Timeline

2026-05-01:	Vendor Notified
2026-05-27:	Disclosed

Credits

darkestmode finder

References

www.wordfence.com/...-95ca-4148-9b24-0df0a2a8871d?source=cve

plugins.trac.wordpress.org/...k/app/WordpressPluginAdmin.php

plugins.trac.wordpress.org/...1/app/WordpressPluginAdmin.php

plugins.trac.wordpress.org/...k/app/WordpressPluginAdmin.php

plugins.trac.wordpress.org/...1/app/WordpressPluginAdmin.php

plugins.trac.wordpress.org/.../trunk/app/WordpressPlugin.php

plugins.trac.wordpress.org/...1.14.1/app/WordpressPlugin.php

plugins.trac.wordpress.org/...0/app/WordpressPluginAdmin.php

plugins.trac.wordpress.org/...0/app/WordpressPluginAdmin.php

plugins.trac.wordpress.org/...1.14.0/app/WordpressPlugin.php

plugins.trac.wordpress.org/...0smtp2go&sfp_email=&sfph_mail=

cve.org (CVE-2026-7621)

nvd.nist.gov (CVE-2026-7621)

Download JSON

help @ threatint.eu