EUVD-2026-21356
GHSA-66q3-hgw9-jr5j
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3Description
The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.
Analysis
Missing authorization in Gravity SMTP plugin for WordPress (versions ≤2.1.4) allows authenticated attackers with subscriber-level privileges to uninstall the plugin, deactivate functionality, and delete configuration options. Exploitable via direct API calls or CSRF attack vectors. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress user accounts and document subscriber-level user assignments; identify if Gravity SMTP plugin is active and determine version via WordPress admin dashboard. Within 7 days: Restrict subscriber-level role permissions in WordPress to eliminate access to plugin settings; alternatively, temporarily restrict subscriber access until vendor patch available. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today