CVE-2026-2559

{"id": "CVE-2026-2559", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2026-03-18T16:16:27.217", "references": [{"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L104", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/Wizard/NewWizard.php#L2109", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484515/", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/323436b5-fbfe-4923-8b08-93c1fcabc016?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro."}, {"lang": "es", "value": "El plugin Post SMTP para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n `handle_office365_oauth_redirect()` en todas las versiones hasta la 3.8.0, inclusive. Esto se debe a que la funci\u00f3n est\u00e1 enganchada a `admin_init` sin ninguna verificaci\u00f3n de `current_user_can()` o verificaci\u00f3n de nonce. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, sobrescriban la configuraci\u00f3n de correo OAuth de Office 365 del sitio (token de acceso, token de actualizaci\u00f3n y correo electr\u00f3nico del usuario) a trav\u00e9s de una URL manipulada. La opci\u00f3n de configuraci\u00f3n se utiliza durante la configuraci\u00f3n guiada de SMTP de Microsoft365, solo disponible en la opci\u00f3n Pro del plugin. Esto podr\u00eda hacer que un Administrador crea que una aplicaci\u00f3n de Azure controlada por un atacante es suya, y los lleve a conectar el plugin a la cuenta del atacante durante la configuraci\u00f3n despu\u00e9s de actualizar a Pro."}], "lastModified": "2026-04-22T21:32:08.360", "sourceIdentifier": "security@wordfence.com"}