CVE-2026-7621 smtp2go CVE debrief

Who should care

WordPress site administrators using the SMTP2GO plugin, security teams monitoring plugin vulnerabilities, and compliance officers responsible for email data protection.

Technical summary

The vulnerability exists due to insufficient authorization checks in the plugin's administrative handlers. Authenticated users with minimal privileges (subscriber and above) can invoke functions to truncate database tables containing SMTP2GO logs or export sensitive email transmission data to CSV format. The affected endpoints lack proper WordPress capability verification, violating the principle of least privilege. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reflects network attack vector, low attack complexity, low privileges required, no user interaction, and impacts to integrity only.

Defensive priority

medium

Recommended defensive actions

• Update the SMTP2GO for WordPress plugin to version 1.16.1 or later
• Review WordPress user roles and remove unnecessary subscriber-level accounts
• Audit SMTP2GO log tables for unauthorized truncation activity
• Review access logs for unexpected CSV export requests from low-privilege accounts
• Implement least-privilege access controls for WordPress administrative functions

Evidence notes

The vulnerability was reported by Wordfence and assigned CWE-862 (Missing Authorization). Source code references indicate the affected functionality resides in WordpressPlugin.php and WordpressPluginAdmin.php. The NVD entry shows a deferred status as of the last modification timestamp.

Official resources