{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9219", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-19T23:24:12.546Z", "datePublished": "2025-09-03T08:27:23.212Z", "dateUpdated": "2026-04-08T16:57:49.947Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:49.947Z"}, "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post SMTP \u2013 WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications \u2013 Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions."}], "title": "Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65914bbf-6563-4bf2-a358-885e182a1365?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L1858"}, {"url": "https://plugins.trac.wordpress.org/changeset/3353624/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matteo Leonelli"}, {"lang": "en", "type": "finder", "value": "David Dewes"}], "timeline": [{"time": "2025-08-20T17:23:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-02T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-03T13:27:13.724015Z", "id": "CVE-2025-9219", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T13:27:25.659Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-03T13:27:13.724015Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-03T13:27:22.832Z"}}], "cna": {"title": "Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update", "credits": [{"lang": "en", "type": "finder", "value": "Matteo Leonelli"}, {"lang": "en", "type": "finder", "value": "David Dewes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-20T17:23:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-02T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65914bbf-6563-4bf2-a358-885e182a1365?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L1858"}, {"url": "https://plugins.trac.wordpress.org/changeset/3353624/"}], "descriptions": [{"lang": "en", "value": "The Post SMTP \u2013 WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications \u2013 Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:49.947Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9219", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:49.947Z", "dateReserved": "2025-08-19T23:24:12.546Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-03T08:27:23.212Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post SMTP \u2013 WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications \u2013 Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions."}], "id": "CVE-2025-9219", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-03T09:15:34.710", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L1858"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3353624/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65914bbf-6563-4bf2-a358-885e182a1365?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:18:49.782845+00:00", "value": {"mitigation_remediation": ["Update the Post SMTP plugin to version 3.4.2 or later.", "Remove any pro extensions that have been enabled without authorization.", "Restrict the Subscriber role\u2019s capabilities so it cannot alter plugin settings until the patch is applied."], "summary": {"action": "Patch Now", "impact": "Privilege Escalation to Enable Pro Extensions"}, "threat_synthesis": {"affected_systems": "The issue exists in all versions of the Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin up to and including version 3.4.1, which is distributed by the saadiqbal vendor on the WordPress Plugin Repository.", "description_and_impact": "The vulnerability in the Post SMTP WordPress plugin is caused by a missing capability check in the update_post_smtp_pro_option_callback function. This flaw allows any authenticated user who has Subscriber-level access or higher to modify plugin settings and enable paid (pro) extensions. The impact is an unauthorized change of configuration, effectively giving attackers the ability to activate commercial features without proper authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, but the vulnerability can be exploited by any authenticated user with Subscriber or higher role, a fairly common access level in WordPress sites. The very low EPSS score (< 1%) suggests that exploitation likelihood is currently low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the attack does not require remote code execution or special network access, administrators should deploy a patch promptly to prevent unauthorized configuration changes."}}}}, "created": "2025-09-03T20:27:06.109890+00:00", "updated": "2026-04-21T03:30:26.331074+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}