Cyber Posture

CVE-2026-32519

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0006 18.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32519 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

AC-6 enforces the principle of least privilege, directly mitigating incorrect privilege assignment in the Bit SMTP plugin that enables remote privilege escalation.

AC-3 Access Enforcement good match
prevent

AC-3 mandates enforcement of approved access authorizations, preventing exploitation of the plugin's flawed privilege mechanisms.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of system flaws, such as patching the vulnerable Bit SMTP plugin versions up to 1.2.2.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated remote privilege escalation vulnerability in public-facing WordPress plugin directly enables T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2.

Deeper analysisAI

CVE-2026-32519 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Bit Apps Bit SMTP (bit-smtp) WordPress plugin, enabling privilege escalation. The issue affects all versions from n/a through 1.2.2 and was published on 2026-03-25. It carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for broad impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network, though high attack complexity is involved. Successful exploitation allows privilege escalation, granting high-level access that compromises confidentiality, integrity, and availability across the affected system's scope, potentially leading to full control of the WordPress installation.

The Patchstack advisory provides details on this vulnerability in the bit-smtp plugin version 1.2.2 at https://patchstack.com/database/Wordpress/Plugin/bit-smtp/vulnerability/wordpress-bit-smtp-plugin-1-2-2-broken-authentication-vulnerability?_s_id=cve, including recommended mitigations such as updating the plugin.

Details

CWE(s)
CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2026-27051Shared CWE-266
CVE-2026-23800Shared CWE-266
CVE-2026-32488Shared CWE-266
CVE-2026-32916Shared CWE-266
CVE-2025-68869Shared CWE-266
CVE-2024-56000Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-24968Shared CWE-266

References