WordPress Plugin Flaw Lets Attackers Hijack Site Emails

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-862
WordPress Plugin Flaw Lets Attackers Hijack Site Emails

The Sendmachine for WordPress plugin harbors a critical vulnerability (CVE-2026-6235) that allows unauthenticated attackers to bypass authorization checks. This flaw, present in all versions up to 1.0.20, stems from improper verification within the ‘manage_admin_requests’ function. Attackers can exploit this to overwrite the plugin’s SMTP configuration.

The immediate impact is severe: attackers can intercept all outbound emails originating from the compromised WordPress site. This includes sensitive communications like password reset emails, effectively enabling credential harvesting and further account takeover. The National Vulnerability Database rates this vulnerability as CRITICAL with a CVSS score of 9.8.

Defenders must prioritize patching or disabling the Sendmachine for WordPress plugin immediately. Any site using this plugin is at high risk. CISOs should review their email security posture and consider implementing out-of-band email verification methods for critical functions like password resets, independent of direct plugin configurations.

What This Means For You

  • If your organization uses the Sendmachine for WordPress plugin, audit your website immediately. Verify the plugin version and patch to 1.0.20 or later, or disable it entirely if patching isn't feasible. Review your SMTP configuration and logs for any unauthorized changes or suspicious email activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-6235 WordPress Sendmachine Plugin Authorization Bypass

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6235 Vulnerability CVE-2026-6235
CVE-2026-6235 Affected Product all

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 22, 2026 at 12:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6848 — Red Hat Quay Vulnerability

CVE-2026-6848 — A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or...

vulnerabilityCVEmedium-severitycwe-613
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-33601 — Denial of Service

CVE-2026-33601 — If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer...

vulnerabilityCVEmedium-severitydenial-of-service
/SCW Vulnerability Desk /MEDIUM /4.4 /⚑ 1 IOC /⚙ 2 Sigma

CVE-2026-33600 — Denial of Service

CVE-2026-33600 — An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading...

vulnerabilityCVEmedium-severitydenial-of-service
/SCW Vulnerability Desk /MEDIUM /4.4 /⚑ 1 IOC /⚙ 1 Sigma