Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2.
AnalysisAI
Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.
Technical ContextAI
Bit SMTP is a WordPress plugin (identified via CPE cpe:2.3:a:bit_apps:bit_smtp) designed to handle SMTP email functionality within WordPress installations. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), which occurs when the application fails to properly validate or enforce role-based access controls. This flaw allows attackers to bypass authentication or authorization checks that should restrict certain operations to privileged users only. The root cause likely involves improper capability checks or role validation in the plugin's email handling logic, potentially allowing unauthenticated or low-privileged users to perform administrative actions such as modifying email settings, accessing sensitive configuration, or sending emails on behalf of the site.
RemediationAI
Immediately upgrade Bit SMTP to a version later than 1.2.2 when available from the Bit Apps development team. Users should check the official Bit SMTP plugin repository or Patchstack database (https://patchstack.com/database/Wordpress/Plugin/bit-smtp/) for patch availability and release notes. Until an updated version is available, restrict access to the WordPress admin dashboard to trusted users only, disable the Bit SMTP plugin if not actively in use, and consider implementing Web Application Firewall (WAF) rules to monitor for exploitation attempts targeting SMTP configuration endpoints. Administrators should also review user roles and capabilities to ensure that only appropriate administrators have email management permissions, and audit recent plugin activity logs for signs of unauthorized privilege escalation.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15882
GHSA-mff3-m6p6-mh2j