CVE-2026-6963:
CVE-2026-6963 is a missing capability check vulnerability in the WP Mail Gateway plugin for WordPress (versions up to and including 1.8) that allows authenticated attackers with Subscriber-level access to modify SMTP settings and escalate privileges to administrator.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.0
- EPSS Percentile:5%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-6963 is a missing capability check vulnerability in the WP Mail Gateway plugin for WordPress (versions up to and including 1.8) that allows authenticated attackers with Subscriber-level access to modify SMTP settings and escalate privileges to administrator.
Overview
CVE-2026-6963 affects the WP Mail Gateway WordPress plugin in all versions up to and including 1.8. The vulnerability stems from a missing authorization (capability) check on the `wmg_save_provider_config` AJAX endpoint, classified under CWE-862 (Missing Authorization). An authenticated attacker with as little as Subscriber-level access can exploit this flaw to silently reconfigure the site's SMTP mail settings, rerouting all outgoing emails—including password reset notifications—to an address under the attacker's control. This creates a straightforward privilege escalation path: the attacker triggers a password reset for a WordPress administrator, receives the reset link via the hijacked mail route, and then assumes full administrative control of the site. The issue is confirmed exploitable remotely over the network with low complexity and no interaction required from other users.
Remediation
- Users of the WP Mail Gateway plugin should update to a patched version beyond 1.8 immediately, as a fix has been committed to the plugin's trunk repository. Site administrators should audit their current SMTP configuration to verify it has not been tampered with, and review user accounts for unauthorized privilege changes. Until the update is applied, consider restricting AJAX endpoint access via a Web Application Firewall (WAF) rule or temporarily disabling the plugin. WordPress administrators should also enforce the principle of least privilege by limiting Subscriber-level registrations where not required.
References
- 1. Wordfence Threat Intelligence Advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/c7caf1f4-a8dd-4016-91eb-2adbeed5290a?source=cve
- 2. WordPress Plugin Trac – Bootstrap.php (tag 1.8): https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Bootstrap.php#L47
- 3. WordPress Plugin Trac – Functions.php (tag 1.8): https://plugins.trac.wordpress.org/browser/wp-mail-gateway/tags/1.8/src/Functions.php#L111
- 4. WordPress Plugin Trac – Bootstrap.php (trunk): https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Bootstrap.php#L47
- 5. WordPress Plugin Trac – Functions.php (trunk): https://plugins.trac.wordpress.org/browser/wp-mail-gateway/trunk/src/Functions.php#L111
- 6. WordPress Plugin Trac – Changeset 3515205: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3515205%40wp-mail-gateway&new=3515205%40wp-mail-gateway&sfp_email=&sfph_mail=
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
