CVE-2026-32538

High

Published: 25 March 2026

Published

25 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0004 13.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32538 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific flaw in the SMTP Mailer plugin that inserts sensitive information into sent data, preventing exploitation.

SI-15 Information Output Filtering good match

prevent

Filters sensitive information prior to output from the plugin, blocking retrieval of embedded sensitive data by unauthenticated attackers.

SC-14 Public Access Protections good match

prevent

Implements protections at public access points used by the WordPress plugin to prevent unauthorized retrieval of exposed sensitive data.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of sensitive data exposure in public-facing WordPress plugin directly matches T1190 Exploit Public-Facing Application (C:H/I:N/A:N impact).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24.

Deeper analysisAI

CVE-2026-32538 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the Noor Alam SMTP Mailer (smtp-mailer) WordPress plugin. This issue affects all versions from n/a through 1.1.24 and allows attackers to retrieve embedded sensitive data. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity primarily due to its confidentiality impact.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low attack complexity and no user interaction required. Exploitation enables retrieval of sensitive data embedded in information sent by the plugin, such as details transmitted via SMTP.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/smtp-mailer/vulnerability/wordpress-smtp-mailer-plugin-1-1-24-sensitive-data-exposure-vulnerability?_s_id=cve) documents the sensitive data exposure vulnerability in the WordPress SMTP Mailer plugin version 1.1.24.

Details

CWE(s): CWE-201

CVEs Like This One

CVE-2026-27934Shared CWE-201

CVE-2025-68033Shared CWE-201

CVE-2025-68035Shared CWE-201

CVE-2026-27406Shared CWE-201

CVE-2025-23781Shared CWE-201

CVE-2025-24582Shared CWE-201

CVE-2026-27370Shared CWE-201

CVE-2025-22303Shared CWE-201

CVE-2025-67931Shared CWE-201

CVE-2025-23774Shared CWE-201

References

https://patchstack.com/database/Wordpress/Plugin/smtp-mailer/vulnerability/wordpress-smtp-mailer-plugin-1-1-24-sensitive-data-exposure-vulnerability?_s_id=cve
audit@patchstack.com