CVE-2026-2559
Received Received - Intake
Unauthorized Data Modification in Post SMTP WordPress Plugin

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: Wordfence

Description
The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2559
EUVD
EUVD-2026-12835
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
post_smtp post_smtp to 3.8.0 (inc)
wp_mail_smtp post_smtp to 3.8.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Post SMTP plugin for WordPress has a vulnerability in the function handle_office365_oauth_redirect() present in all versions up to 3.8.0. This function lacks proper capability checks and nonce verification, allowing authenticated users with Subscriber-level access or higher to modify the site's Office 365 OAuth mail configuration by using a specially crafted URL.

Because the function is hooked to admin_init without verifying user permissions, attackers can overwrite sensitive configuration options such as access tokens, refresh tokens, and user email related to Microsoft365 SMTP setup in the Pro version of the plugin.

Impact Analysis

This vulnerability allows an attacker with low-level authenticated access to overwrite the Office 365 OAuth mail configuration of the site. This could lead to an administrator unknowingly connecting the plugin to an attacker-controlled Azure application during configuration after upgrading to the Pro version.

Such unauthorized modification can compromise the integrity of the mail system, potentially allowing the attacker to intercept or manipulate emails sent via the plugin.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart