CVE-2026-2559 in Post SMTP Plugin
Summary
by MITRE • 03/18/2026
The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init` without any `current_user_can()` check or nonce verification. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the site's Office 365 OAuth mail configuration (access token, refresh token, and user email) via a crafted URL. The configuration option is used during wizard setup of Microsoft365 SMTP, only available in the Pro option of the plugin. This could cause an Administrator to believe an attacker-controlled Azure app is their own, and lead them to connect the plugin to the attacker's account during configuration after upgrading to Pro.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-2559 affects the Post SMTP plugin for WordPress, specifically targeting versions up to and including 3.8.0. This represents a critical authorization flaw that undermines the security of email configuration processes within WordPress environments. The issue stems from a fundamental missing capability check within the `handle_office365_oauth_redirect()` function, which operates at the administrative level and processes sensitive OAuth configuration data. The vulnerability manifests through improper access control mechanisms that fail to validate user permissions before allowing modification of critical system settings.
The technical implementation of this flaw occurs because the vulnerable function is registered to the `admin_init` hook without any verification of user capabilities or nonce validation. This design oversight creates a direct pathway for authenticated attackers who possess Subscriber-level access or higher to manipulate the Office 365 OAuth configuration parameters. The function processes access tokens, refresh tokens, and user email addresses that are essential for Microsoft 365 SMTP integration, making it a prime target for attackers seeking to establish persistent control over email delivery mechanisms. This vulnerability aligns with CWE-863, representing an Authorization Bypass Through User Control of Key Data, and maps to ATT&CK technique T1078.004 for Valid Accounts and T1566.002 for Phishing via Social Media.
The operational impact of this vulnerability extends beyond simple data modification, creating a sophisticated attack vector that can lead to complete compromise of email infrastructure. An attacker with minimal privileges can overwrite the legitimate Office 365 configuration with malicious credentials, potentially redirecting all outgoing email traffic through an attacker-controlled Azure application. This scenario creates a false sense of security for administrators who may unknowingly configure the plugin to connect to an attacker's account during the Pro version upgrade process. The attack chain becomes particularly dangerous because it leverages legitimate plugin functionality to establish persistence, making detection more challenging. The vulnerability affects the wizard setup process for Microsoft365 SMTP, which is only accessible through the Pro version, thereby increasing the potential impact for organizations that have invested in premium features.
Mitigation strategies should focus on immediate plugin updates to versions that address the capability check deficiency and implement proper nonce validation. Administrators must ensure that all users with access to the WordPress admin panel have appropriate privilege levels and that regular security audits are conducted on plugin configurations. The recommended remediation includes verifying that all admin functions properly implement `current_user_can()` checks and utilize nonce verification for all configuration modifications. Additionally, organizations should implement network monitoring to detect unusual OAuth redirect patterns and establish regular backup procedures for email configuration settings. Security teams should also consider implementing role-based access controls that limit the ability of lower-privilege users to modify critical system configurations, thereby reducing the attack surface for similar vulnerabilities. This vulnerability demonstrates the critical importance of proper access control implementation in web applications, particularly when handling sensitive authentication data that can be leveraged for broader system compromise.