MEDIUM 4.3

CVE-2026-7621: SMTP2GO WordPress Plugin Authorization Bypass Allows Log Deletion and Data Export

The SMTP2GO for WordPress plugin contains an authorization flaw that allows any logged-in user with subscriber-level permissions or higher to delete all SMTP email logs from the database or export sensitive email records to CSV format. This affects all versions up to 1.16.0 and exposes recipient addresses, sender information, message subjects, and API response data. An attacker with basic user access can perform these destructive and data-exfiltration actions without additional authentication checks.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7621 is an insecure direct object reference (IDOR) and broken authorization vulnerability in the SMTP2GO for WordPress plugin. The vulnerability stems from insufficient authorization verification in the plugin's log management functions. Authenticated users at the subscriber level and above can invoke actions intended for administrators—specifically the ability to truncate log records or export logs via CSV—because the plugin fails to enforce proper capability checks on these sensitive operations. The issue is catalogued under CWE-862 (Missing Authorization).

Business impact

Organizations using this plugin risk exposure of email metadata that may contain sensitive information such as recipient lists, sender identities, and message subjects. More immediately, attackers can permanently destroy audit logs, removing evidence of prior email communications and complicating forensic investigations. For compliance-heavy industries, log deletion creates audit trail gaps and potential regulatory violations. The damage is particularly acute in multi-user WordPress environments where subscriber accounts may be issued to contractors, clients, or team members with lower privilege expectations.

Affected systems

The SMTP2GO for WordPress plugin in all versions up to and including 1.16.0 is affected. Any WordPress installation with this plugin active and configured is vulnerable if it permits subscriber-level or higher user registration or account provisioning. The vulnerability requires an authenticated user to exploit; it cannot be triggered by anonymous visitors.

Exploitability

Exploitability is straightforward. An attacker must obtain or be assigned a subscriber-level or higher WordPress account, then navigate to the plugin's log management interface to either delete all records or export them as CSV. No special technical knowledge, social engineering, or user interaction is required—the plugin will honor the requests without asking for additional authentication. This makes the vulnerability accessible to a broad class of potential attackers, including disgruntled insiders, contractors with basic access, or accounts compromised via credential stuffing.

Remediation

Update the SMTP2GO for WordPress plugin to the latest patched version. Verify the patched version against the official SMTP2GO plugin repository or vendor advisory for the specific version number that addresses CVE-2026-7621. In the interim, restrict subscriber-level user registrations and carefully audit existing subscriber accounts, especially those belonging to external parties. Consider disabling the CSV export and log-truncation features if they are not operationally necessary.

Patch guidance

Upgrade the plugin to a version released after the vulnerability disclosure date (May 28, 2026). Check the official WordPress plugin directory or the SMTP2GO vendor advisory to confirm the patched version number. Most WordPress administrators can update via the dashboard's plugin management interface. After patching, audit recent log access and CSV exports to identify any suspicious activity or data exfiltration that may have occurred while the plugin was vulnerable.

Detection guidance

Monitor WordPress database for unusual truncation of the SMTP2GO log tables, particularly if initiated by non-administrator accounts. Review WordPress user activity logs and audit plugins (such as Wordfence or Audit Log) for CSV export events triggered by subscriber-level accounts. Check the SMTP2GO plugin's database tables for timestamps that indicate mass deletions or exports coinciding with known compromise periods. Correlate these events with user login patterns to identify potential attackers.

Why prioritize this

Although the CVSS score is moderate (4.3), the vulnerability carries meaningful risk in multi-user WordPress environments. The combination of easy exploitation (simple authenticated access), data sensitivity (email metadata), and audit-trail destruction (log truncation) makes it worthy of timely remediation. It is not an active KEV entry, so it is not being weaponized at scale, but the low barrier to exploitation means it is likely to be opportunistically exploited by insiders or competitors with basic WordPress access.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects a network-accessible vulnerability requiring low privilege (subscriber level) and no user interaction. The impact is limited to integrity (log truncation) and availability (data exfiltration), not confidentiality directly, hence the moderate rating. However, the practical risk is elevated by the ease of exploitation and the sensitivity of the exposed email metadata; security teams should not deprioritize this solely on CVSS alone.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires an authenticated WordPress user account at subscriber level or higher. An anonymous visitor cannot trigger the log truncation or CSV export functions.

What versions of the SMTP2GO plugin are affected?

All versions up to and including 1.16.0 are affected. Verify the patched version number against the official SMTP2GO vendor advisory or the WordPress plugin repository.

If an attacker exports SMTP logs, what data is exposed?

The CSV export includes recipient email addresses, sender addresses, message subjects, and API response data from the SMTP2GO service. This metadata can be used for reconnaissance, social engineering, or targeting of individuals.

Can log deletion be detected if it has already occurred?

Partial detection is possible if backups exist or if database transaction logs are preserved. However, if the attacker gains administrator access after log deletion, forensic recovery becomes significantly harder. Implement regular database backups and enable WordPress audit logging to improve detection and recovery.

This analysis is based on the CVE-2026-7621 public disclosure and official vendor advisories. Organizations must verify patch version numbers and compatibility with their WordPress environment before deploying updates. This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, but that status may change. Administrators should prioritize remediation based on their environment's user count, sensitivity of email communications, and internal access control policies. No exploit code is provided or endorsed. Always test patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).