Privilege Escalation in Ultimate WP Mail Plugin for WordPress
CVE-2025-6993

8.8HIGH

Key Information:

Vendor: WordPress
Status: Ultimate WP Mail
Vendor: CVE Published:; 16 July 2025

What is CVE-2025-6993?

The Ultimate WP Mail plugin for WordPress is susceptible to a privilege escalation issue due to improper authorization in the get_email_log_details() AJAX handler. This vulnerability occurs in versions 1.0.17 to 1.3.6, allowing authenticated users with Contributor-level access and above to exploit the handler. By leveraging a client-supplied post_id, these users can access sensitive email log content, including password-reset links, as the authorization only checks for 'edit_posts' capability without validating user ownership or restricting access to administrators. This oversight enables potential attackers to retrieve an admin's reset link and gain elevated privileges.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ultimate WP Mail 1.0.17 <= 1.3.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/ultimate-wp-mail/#developers

https://plugins.trac.wordpress.org/browser/ultimate-wp-ma...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 16, 2025
Vulnerability Reserved
Jul 1, 2025

Credit

Kenneth Dunn

JSON

WordPress

What is CVE-2025-6993?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.