Skip to main content

Bit Smtp CVE-2026-32519

| EUVDEUVD-2026-15882 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-03-25 Patchstack GHSA-mff3-m6p6-mh2j
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15882
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.0

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2.

AnalysisAI

Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.

Technical ContextAI

Bit SMTP is a WordPress plugin (identified via CPE cpe:2.3:a:bit_apps:bit_smtp) designed to handle SMTP email functionality within WordPress installations. The vulnerability stems from CWE-266 (Incorrect Privilege Assignment), which occurs when the application fails to properly validate or enforce role-based access controls. This flaw allows attackers to bypass authentication or authorization checks that should restrict certain operations to privileged users only. The root cause likely involves improper capability checks or role validation in the plugin's email handling logic, potentially allowing unauthenticated or low-privileged users to perform administrative actions such as modifying email settings, accessing sensitive configuration, or sending emails on behalf of the site.

RemediationAI

Immediately upgrade Bit SMTP to a version later than 1.2.2 when available from the Bit Apps development team. Users should check the official Bit SMTP plugin repository or Patchstack database (https://patchstack.com/database/Wordpress/Plugin/bit-smtp/) for patch availability and release notes. Until an updated version is available, restrict access to the WordPress admin dashboard to trusted users only, disable the Bit SMTP plugin if not actively in use, and consider implementing Web Application Firewall (WAF) rules to monitor for exploitation attempts targeting SMTP configuration endpoints. Administrators should also review user roles and capabilities to ensure that only appropriate administrators have email management permissions, and audit recent plugin activity logs for signs of unauthorized privilege escalation.

Share

CVE-2026-32519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy