CVE-2024-9065

The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient. CVE-2025-24737 is likely a duplicate of this issue.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/wp-helper-lite/tags/4.6.1/functions/class.wps-frontend-setup-function.php#L55
https://plugins.trac.wordpress.org/changeset/3167825/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3c6d98-6f30-4a98-91c9-e77c1f960527?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:matbao:wp_helper_premium:*:*:*:*:*:wordpress:*:*

History

08 Apr 2026, 18:22

Type	Values Removed	Values Added
References	~~{'url': 'https://plugins.trac.wordpress.org/browser/wp-helper-lite/trunk/functions/class.wps-frontend-setup-function.php#L55', 'tags': ['Product'], 'source': 'security@wordfence.com'}~~	() https://plugins.trac.wordpress.org/browser/wp-helper-lite/tags/4.6.1/functions/class.wps-frontend-setup-function.php#L55 - () https://plugins.trac.wordpress.org/changeset/3167825/ -
Summary	(en) The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient.	(en) The WP Helper Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'whp_smtp_send_mail_test' function in all versions up to, and including, 4.6.1. This makes it possible for unauthenticated attackers to send emails containing any content and originating from the vulnerable WordPress instance to any recipient. CVE-2025-24737 is likely a duplicate of this issue.

15 Oct 2024, 14:14

Type	Values Removed	Values Added
References	~~() https://plugins.trac.wordpress.org/browser/wp-helper-lite/trunk/functions/class.wps-frontend-setup-function.php#L55 -~~	() https://plugins.trac.wordpress.org/browser/wp-helper-lite/trunk/functions/class.wps-frontend-setup-function.php#L55 - Product
References	~~() https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3c6d98-6f30-4a98-91c9-e77c1f960527?source=cve -~~	() https://www.wordfence.com/threat-intel/vulnerabilities/id/5f3c6d98-6f30-4a98-91c9-e77c1f960527?source=cve - Third Party Advisory
First Time		Matbao Matbao wp Helper Premium
CPE		cpe:2.3:a:matbao:wp_helper_premium::::::wordpress::*

10 Oct 2024, 12:51

Type	Values Removed	Values Added
Summary		(es) El complemento WP Helper Premium para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función 'whp_smtp_send_mail_test' en todas las versiones hasta la 4.6.1 incluida. Esto permite que atacantes no autenticados envíen correos electrónicos que contengan cualquier contenido y que se originen en la instancia vulnerable de WordPress a cualquier destinatario.

10 Oct 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-10 02:15

Updated : 2026-04-08 18:22

NVD link : CVE-2024-9065

Mitre link : CVE-2024-9065

CVE.ORG link : CVE-2024-9065

JSON object : View

Products Affected

matbao

wp_helper_premium

CWE

CWE-862

Missing Authorization

5.3 /10