CVE-2026-2559

Name of the Vulnerable Software and Affected Versions Post SMTP plugin for WordPress versions up to and including 3.8.0

Description The Post SMTP plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check within the handle office365 oauth redirect() function. This function, connected to the admin init action without proper authorization or nonce verification, allows authenticated attackers with Subscriber-level access or higher to alter the Office 365 OAuth mail configuration—specifically, the access token, refresh token, and user email—through a specially crafted URL. This configuration is utilized during the Microsoft365 SMTP wizard setup, available in the Pro version of the plugin. An attacker could potentially deceive an Administrator into connecting the plugin to a malicious Azure application, leading to account compromise after upgrading to the Pro version.

Recommendations Update Post SMTP plugin to a version later than 3.8.0.