CVE-2026-6235

CRITICAL

Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests

Title source: cna

Description

The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).

References (4)

Core 4

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve

https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L183

https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L174

https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/includes/sendmachine_email_manager.php#L39

Scores

CVSS v3 9.8

EPSS 0.0058

EPSS Percentile 42.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-862

Status published

Products (1)

sendmachine/Sendmachine for WordPress < 1.0.20

Published Apr 22, 2026

Tracked Since Apr 22, 2026