Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in SMTP2GO SMTP2GO smtp2go allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMTP2GO: from n/a through <= 1.12.1.
AnalysisAI
Missing authorization in SMTP2GO WordPress plugin versions through 1.12.1 allows unauthenticated attackers to exploit incorrectly configured access control mechanisms to bypass authentication and gain unauthorized access to SMTP2GO functionality. The vulnerability stems from broken access control rather than a cryptographic or input validation flaw, enabling attackers to interact with protected endpoints without proper privilege verification. While EPSS scoring indicates low exploitation probability (0.05%, percentile 17%), the nature of access control bypass vulnerabilities means real-world risk depends heavily on what sensitive operations are exposed.
Technical ContextAI
This vulnerability is rooted in CWE-862 (Missing Authorization), which occurs when a software system fails to properly verify that a user has the required permissions before allowing access to sensitive functionality. In the context of the SMTP2GO WordPress plugin, the issue manifests as incorrectly configured access control security levels that do not properly validate user roles or capabilities before permitting requests to protected endpoints. The SMTP2GO plugin (WordPress plugin, CPE information not provided in available data) is designed to integrate email delivery via the SMTP2GO service into WordPress sites, making it a bridge between WordPress authentication and external email infrastructure. The broken access control allows attackers to circumvent WordPress's native role-based access control (RBAC) system and gain access to SMTP configuration endpoints that should be restricted to authenticated administrators or specific user roles.
Affected ProductsAI
SMTP2GO WordPress plugin versions from an unspecified baseline through version 1.12.1 are affected. The plugin serves as a WordPress integration point for the external SMTP2GO email delivery service. Exact CPE strings are not provided in available data, but the plugin can be identified via the WordPress plugin repository as smtp2go, and the vulnerability applies to all installations running version 1.12.1 or earlier. Detailed version range information and patch status are documented in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/smtp2go/vulnerability/wordpress-smtp2go-plugin-1-12-1-broken-access-control-vulnerability.
RemediationAI
Upgrade the SMTP2GO WordPress plugin to a version released after 1.12.1. Exact patched version numbers are not specified in available data, but the plugin should be updated to the latest available release via the WordPress plugin dashboard or directly from the official plugin repository. As an interim measure pending patch deployment, site administrators should restrict access to SMTP2GO plugin settings by limiting administrative user accounts to only those requiring email configuration access, and consider disabling the plugin temporarily if email delivery can be sourced through alternative means. Review WordPress user roles and capabilities to ensure that only trusted administrators have access to SMTP configuration. Additional context and remediation guidance is available at https://patchstack.com/database/Wordpress/Plugin/smtp2go/vulnerability/wordpress-smtp2go-plugin-1-12-1-broken-access-control-vulnerability.
Share
External POC / Exploit Code
Leaving vuln.today