CVE-2026-7621
SMTP2GO Log Data Exposure in WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smtp2go | smtp2go_for_wordpress | to 1.16.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The SMTP2GO for WordPress β Email Made Easy plugin is vulnerable because it does not properly verify whether a user is authorized to perform certain actions.
This flaw allows authenticated users with subscriber-level access or higher to either delete all SMTP2GO log records from the database or download a CSV export containing sensitive SMTP log data.
- The exported data includes recipient addresses, sender addresses, message subjects, and API response data.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users with low-level access to manipulate or access sensitive email log data.
- They can truncate (delete) all SMTP2GO log records, potentially causing loss of important email tracking information.
- They can also download a CSV file containing detailed SMTP log data, exposing recipient and sender email addresses, message subjects, and API response details.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the SMTP2GO for WordPress plugin up to and including 1.16.0. Immediate mitigation steps include updating the plugin to a version later than 1.16.0 where the issue is fixed.
Additionally, restrict subscriber-level user permissions and monitor access to SMTP2GO log records to prevent unauthorized truncation or export of sensitive email log data.