Guus Verbeek

**Name of the Vulnerable Software and Affected Versions** WP Mail SMTP plugin for WordPress versions up to, and including, 4.0.1 **Description** The issue allows authenticated attackers with administrative-level access and above to view the SMTP password for the supplied server when viewing the settings, as the plugin provides the SMTP password in the SMTP Password field. This could be useful information to an attacker in a limited environment if an administrator account becomes compromised. **Recommendations** For WP Mail SMTP plugin for WordPress versions up to, and including, 4.0.1, consider restricting access to the SMTP settings page to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit administrative-level access to trusted users only.