{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/wp-mail-gateway-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6963"}],"_cs_exploited":false,"_cs_products":["WP Mail Gateway plugin"],"_cs_severities":["high"],"_cs_tags":["wordpress","privilege-escalation","plugin-vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe WP Mail Gateway plugin, a WordPress extension, contains a vulnerability (CVE-2026-6963) that allows authenticated users with minimal privileges (Subscriber level or higher) to gain administrative access. The flaw resides in the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e AJAX action, which lacks proper authorization checks. This omission enables attackers to manipulate SMTP settings, redirect outgoing emails, and ultimately trigger password reset emails intended for administrators. The vulnerability affects all versions of the WP Mail Gateway plugin up to and including version 1.8. Successful exploitation grants attackers complete control over the WordPress site, making it a critical security concern for any organization using the vulnerable plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into a WordPress site with a Subscriber-level account or higher.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThis request modifies the SMTP settings, redirecting outgoing emails to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset request for an administrator account.\u003c/li\u003e\n\u003cli\u003eThe password reset email is intercepted by the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the password reset link to gain access to the administrator\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress dashboard with administrator privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform any administrative action, including installing malicious plugins, modifying site content, or creating new administrator accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6963 allows an attacker to completely compromise a WordPress website.  Even low-privileged users can elevate their access to administrator, giving them full control over the site.  This can lead to data breaches, website defacement, malware deployment, and other malicious activities. The vulnerability affects all installations of the WP Mail Gateway plugin up to version 1.8, potentially impacting thousands of WordPress sites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WP Mail Gateway plugin to a version beyond 1.8 to patch CVE-2026-6963.\u003c/li\u003e\n\u003cli\u003eMonitor WordPress logs for suspicious AJAX requests targeting the \u003ccode\u003ewmg_save_provider_config\u003c/code\u003e action using the Sigma rule provided below. Enable webserver logging to capture HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect modifications to WordPress options related to SMTP configuration. Enable relevant logging for registry modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T05:16:01Z","date_published":"2026-05-02T05:16:01Z","id":"/briefs/2026-05-wp-mail-gateway-privesc/","summary":"The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.","title":"WP Mail Gateway Plugin Vulnerability Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-wp-mail-gateway-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — WP Mail Gateway Plugin","version":"https://jsonfeed.org/version/1.1"}