EUVD-2026-12835CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro.
Analysis
The Post SMTP WordPress plugin for versions up to 3.8.0 contains an authorization bypass vulnerability in the Office 365 OAuth redirect handler that allows authenticated subscribers and above to overwrite sensitive SMTP configuration without proper capability checks or nonce validation. An attacker with subscriber-level access can craft a malicious URL to inject attacker-controlled Azure app credentials into the site's Microsoft 365 configuration, potentially causing administrators to unknowingly connect to the attacker's account during Pro wizard setup. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running all and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today