Missing Authorization in Gravity SMTP Plugin for WordPress
CVE-2026-4162

7.1HIGH

Key Information:

Vendor: WordPress
Status: Gravity Smtp
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-4162?

The Gravity SMTP plugin for WordPress exhibits a security flaw due to insufficient authorization checks. In versions prior to 2.1.5, this vulnerability allows authenticated attackers with subscriber-level access or higher to uninstall and deactivate the plugin as well as delete its options. Additionally, this vulnerability can be exploited through a Cross-Site Request Forgery (CSRF) attack. Users are encouraged to update to version 2.1.5 to mitigate this risk and enhance overall site security.

Affected Version(s)

Gravity SMTP 0 <= 2.1.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.gravityforms.com/brand-new-release-gravity-sm...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Osvaldo Noe Gonzalez Del Rio

CVE-2026-4162 Data

JSON