Cyber Resilience

CVE-2026-4162

High

Published: 10 April 2026

Published
10 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0001 3.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4162 is a high-severity Missing Authorization (CWE-862) vulnerability in Gravityforms (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-4162 is a Missing Authorization vulnerability (CWE-862) affecting the Gravity SMTP plugin for WordPress in versions up to and including 2.1.4. The flaw arises because the plugin fails to properly verify whether a user is authorized to perform certain actions, enabling unauthorized modifications to plugin settings and status.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L). Successful exploitation allows them to uninstall and deactivate the plugin as well as delete its options, potentially disrupting email functionality. The vulnerability is also exploitable via a Cross-Site Request Forgery (CSRF) vector.

Advisories from Gravity Forms and Wordfence recommend updating to Gravity SMTP version 2.1.5, which addresses the authorization checks. Security practitioners should verify plugin versions on WordPress sites and apply the patch promptly to mitigate risks.

EU & UK References

Vulnerability details

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible…

more

for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authorization flaw in a public-facing WordPress plugin, directly enabling network exploitation of the application to perform unauthorized actions such as plugin deactivation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Gravityforms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the plugin's failure to verify user authorization before allowing uninstallation, deactivation, and option deletion.

prevent

AC-6 enforces least privilege, preventing subscriber-level users from possessing or exercising permissions to modify plugin settings and status.

prevent

SI-2 requires timely identification, reporting, and remediation of flaws like this missing authorization vulnerability through patching to version 2.1.5.

References