Unauthorized Data Modification Vulnerability in Post SMTP Plugin for WordPress
CVE-2026-2559
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 18 March 2026
What is CVE-2026-2559?
The Post SMTP plugin for WordPress is susceptible to unauthorized data modification due to a lack of necessary capability checks in the handle_office365_oauth_redirect() function. This vulnerability affects all versions up to 3.8.0, as the function is associated with the admin_init action without implementing current_user_can() or nonce verification. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to alter the configuration settings for Office 365 OAuth mail, including sensitive details like access tokens and user emails via a specially crafted URL. This situation poses risks where an administrator may mistakenly believe they are connecting their plugin to their own Azure app, ultimately leading to linking it with the attacker's account during setup.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Post SMTP β Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App * <= 3.8.0