CVE-2024-6694

Name of the Vulnerable Software and Affected Versions WP Mail SMTP plugin for WordPress versions up to, and including, 4.0.1

Description The issue allows authenticated attackers with administrative-level access and above to view the SMTP password for the supplied server when viewing the settings, as the plugin provides the SMTP password in the SMTP Password field. This could be useful information to an attacker in a limited environment if an administrator account becomes compromised.

Recommendations For WP Mail SMTP plugin for WordPress versions up to, and including, 4.0.1, consider restricting access to the SMTP settings page to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit administrative-level access to trusted users only.