CVE-2026-4162
Published: 10 April 2026
Summary
CVE-2026-4162 is a high-severity Missing Authorization (CWE-862) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-4162 is a Missing Authorization vulnerability (CWE-862) affecting the Gravity SMTP plugin for WordPress in versions up to and including 2.1.4. The flaw arises because the plugin fails to properly verify whether a user is authorized to perform certain actions, enabling unauthorized modifications to plugin settings and status.
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L). Successful exploitation allows them to uninstall and deactivate the plugin as well as delete its options, potentially disrupting email functionality. The vulnerability is also exploitable via a Cross-Site Request Forgery (CSRF) vector.
Advisories from Gravity Forms and Wordfence recommend updating to Gravity SMTP version 2.1.5, which addresses the authorization checks. Security practitioners should verify plugin versions on WordPress sites and apply the patch promptly to mitigate risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21356
Vulnerability details
The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible…
more
for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a public-facing WordPress plugin, directly enabling network exploitation of the application to perform unauthorized actions such as plugin deactivation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the plugin's failure to verify user authorization before allowing uninstallation, deactivation, and option deletion.
AC-6 enforces least privilege, preventing subscriber-level users from possessing or exercising permissions to modify plugin settings and status.
SI-2 requires timely identification, reporting, and remediation of flaws like this missing authorization vulnerability through patching to version 2.1.5.