CVE-2026-6963: WordPress WP Mail Gateway Plugin Allows Privilege Escalation

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-862
CVE-2026-6963: WordPress WP Mail Gateway Plugin Allows Privilege Escalation

The WP Mail Gateway plugin for WordPress, in all versions up to and including 1.8, is vulnerable to unauthorized access, as reported by the National Vulnerability Database. The flaw, identified as CVE-2026-6963, stems from a missing capability check on the wmg_save_provider_config AJAX action. This oversight enables authenticated attackers with even Subscriber-level access to manipulate SMTP settings.

This isn’t just a configuration tweak; it’s a critical privilege escalation vector. By redirecting mail, an attacker can trigger password reset emails for administrative accounts, capture them, and subsequently gain full control. The National Vulnerability Database has assigned a CVSS score of 8.8 (HIGH) to this vulnerability, underscoring its severe impact on confidentiality, integrity, and availability.

Defenders need to treat this with urgency. A high-severity vulnerability that allows low-privileged users to hijack administrator accounts is a clear and present danger. It bypasses conventional access controls and directly targets the most critical user roles in a WordPress environment. The attacker’s calculus here is simple: find a WordPress site using this plugin, get a basic user account, and then elevate to admin with minimal effort.

What This Means For You

  • If your organization uses the WP Mail Gateway plugin for WordPress, check your version immediately. Patch to a remediated version if available, or disable the plugin if no patch exists. Audit your WordPress user logs for any suspicious activity, especially password reset requests for administrator accounts, and review your SMTP settings for unauthorized changes. This is a direct path to full site compromise.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Operating System Credential Management Privilege Escalation T1136.003 Create Account: Local Account Privilege Escalation T1557.001 Breakout from Sandbox: Process Injection Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1078.004 Privilege Escalation

CVE-2026-6963: WP Mail Gateway AJAX Action Unauthorized Configuration Update

Sigma YAML — free preview 
title: CVE-2026-6963: WP Mail Gateway AJAX Action Unauthorized Configuration Update
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  Detects the specific AJAX action 'wmg_save_provider_config' called via '/wp-admin/admin-ajax.php' which is vulnerable in WP Mail Gateway versions up to 1.8. This action, when exploited, allows authenticated users with subscriber-level access to modify SMTP settings, potentially leading to privilege escalation by intercepting password reset emails.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6963/
tags:
  - attack.privilege_escalation
  - attack.t1078.004
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=wmg_save_provider_config'
      cs-method|exact:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6963 Auth Bypass WP Mail Gateway plugin for WordPress versions <= 1.8
CVE-2026-6963 Privilege Escalation Missing capability check on wmg_save_provider_config AJAX action
CVE-2026-6963 Misconfiguration Authenticated attackers (Subscriber-level and above) can update SMTP settings

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 08:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover

CVE-2026-7647 — The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is...

vulnerabilityCVEhigh-severityinsecure-deserializationcwe-502
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 6 Sigma

PixelYourSite Pro Plugin SSRF Vulnerability (CVE-2026-7049)

CVE-2026-7049 — The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to,...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-6916 — Cross-Site Scripting (XSS)

CVE-2026-6916 — The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /6.4 /⚑ 2 IOCs /⚙ 3 Sigma