{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2559", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-15T19:05:42.476Z", "datePublished": "2026-03-18T15:28:28.190Z", "dateUpdated": "2026-04-08T16:45:16.533Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:16.533Z"}, "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro."}], "title": "Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/323436b5-fbfe-4923-8b08-93c1fcabc016?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L2109"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L104"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484515/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Iden"}], "timeline": [{"time": "2026-02-15T19:21:39.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T17:06:23.958716Z", "id": "CVE-2026-2559", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T17:06:32.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2559", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T17:06:23.958716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T17:06:28.181Z"}}], "cna": {"title": "Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite", "credits": [{"lang": "en", "type": "finder", "value": "Michael Iden"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-15T19:21:39.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/323436b5-fbfe-4923-8b08-93c1fcabc016?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L2109"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L104"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484515/"}], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:16.533Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2559", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:16.533Z", "dateReserved": "2026-02-15T19:05:42.476Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T15:28:28.190Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro."}, {"lang": "es", "value": "El plugin Post SMTP para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n `handle_office365_oauth_redirect()` en todas las versiones hasta la 3.8.0, inclusive. Esto se debe a que la funci\u00f3n est\u00e1 enganchada a `admin_init` sin ninguna verificaci\u00f3n de `current_user_can()` o verificaci\u00f3n de nonce. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, sobrescriban la configuraci\u00f3n de correo OAuth de Office 365 del sitio (token de acceso, token de actualizaci\u00f3n y correo electr\u00f3nico del usuario) a trav\u00e9s de una URL manipulada. La opci\u00f3n de configuraci\u00f3n se utiliza durante la configuraci\u00f3n guiada de SMTP de Microsoft365, solo disponible en la opci\u00f3n Pro del plugin. Esto podr\u00eda hacer que un Administrador crea que una aplicaci\u00f3n de Azure controlada por un atacante es suya, y los lleve a conectar el plugin a la cuenta del atacante durante la configuraci\u00f3n despu\u00e9s de actualizar a Pro."}], "id": "CVE-2026-2559", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T16:16:27.217", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L2109"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3484515/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/323436b5-fbfe-4923-8b08-93c1fcabc016?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "source": "cna", "vendor": "saadiqbal"}, "product": "post_smtp_\u2013_complete_email_deliverability_and_smtp_solution_with_email_logs,_alerts,_backup_smtp_&_mobile_app", "vendor": "saadiqbal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T16:22:04.717162+00:00", "value": {"mitigation_remediation": ["Update the Post SMTP plugin to a version that includes the patch (>= 3.8.1).", "If an immediate update is not possible, remove or disable the plugin\u2019s Office 365 OAuth configuration options, or restrict Subscriber+ roles from accessing the admin area until the update is applied."], "summary": {"action": "Patch", "impact": "Impersonation / Misconfiguration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin saadiqbal:Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App. All supported plugin releases up to and including version 3.8.0 are vulnerable. Versions 3.8.1 and newer contain the fix and are not affected.", "description_and_impact": "The Post SMTP plugin for WordPress allows any authenticated user with Subscriber-level access or higher to overwrite the site's Office 365 OAuth mail configuration. This is caused by the handle_office365_oauth_redirect() function being hooked to admin_init without a current_user_can() check or nonce verification. As a result, attackers can provide a crafted URL that writes new access token, refresh token, and user email values into the plugin's configuration. The vulnerability is an access\u2011control failure (CWE\u2011862) that enables unauthorized modification of critical email settings and could lead to an administrator believing an attacker\u2011controlled Azure app is legitimate. This may allow the attacker to redirect mail traffic or compromise the site\u2019s email delivery based on the overwritten configuration.", "risk_and_exploitability": "The CVSS v3.1 score is 5.3, indicating a medium severity impact. No EPSS score is available, and the weakness is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit requires a valid authenticated WordPress session with a role of Subscriber or higher, and the attacker must construct a URL that triggers the admin_init hook. Because it only affects users that already have some level of access, the risk is limited to compromised or low\u2011privilege accounts rather than unauthenticated public exposure. Nonetheless, the potential for an attacker to disguise themselves as an administrator and reconfigure Office 365 settings means that sites with active Office 365 integration should treat it as a moderate positive risk until patched."}}}}, "created": "2026-03-19T08:56:31.970890+00:00", "updated": "2026-03-24T10:58:38.696307+00:00", "vendors": ["saadiqbal", "saadiqbal$PRODUCT$post_smtp_\u2013_complete_email_deliverability_and_smtp_solution_with_email_logs,_alerts,_backup_smtp_&_mobile_app", "wordpress", "wordpress$PRODUCT$wordpress"]}