Volerion logoVolerion
Volerion logoVolerion

Post SMTP WordPress Plugin Missing Authorization Vulnerability in New Wizard Component

Vulnerability

A vulnerability exists in the Post SMTP WordPress plugin, specifically in the New Wizard component, all versions through 3.4.1. The issue arises from a missing capability check in the 'update_post_smtp_pro_option_callback' function, allowing authenticated attackers with Subscriber-level access and above to unauthorizedly modify data. This vulnerability enables these attackers to activate pro extensions within the plugin.

Impact

Exploitation of this vulnerability allows for unauthorized activation of pro extensions in the Post SMTP WordPress plugin.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send an AJAX request to update the 'post_smtp_pro' option. This request can be made without the necessary capability, as the plugin does not properly validate the user's permissions before allowing the update.

Remediation

Users are advised to update the Post SMTP WordPress plugin to version 3.4.2 or later, where this vulnerability has been patched.

Added: Sep 3, 2025, 9:30 AM
Updated: Sep 3, 2025, 9:30 AM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
0.6
exploitability
6.4
remediation
7.7
relevance
0.5
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.