Cyber Resilience

CVE-2026-6235

Critical

Published: 22 April 2026

Published
22 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0058 43.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-6235 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-6235, published on 2026-04-22, is an authorization bypass vulnerability in the Sendmachine for WordPress plugin, affecting all versions up to and including 1.0.20. The issue stems from the 'manage_admin_requests' function, which fails to properly verify user authorization before allowing actions. This flaw, classified under CWE-862, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without user interaction by invoking the flawed function to overwrite the plugin's SMTP configuration. Successful exploitation enables attackers to intercept all outbound emails from the affected WordPress site, including sensitive ones like password reset emails, potentially leading to account takeovers or data exfiltration.

Advisories reference specific code locations in the plugin source, including sendmachine_email_manager.php at line 39, and sendmachine_wp_admin.php at lines 174 and 183, highlighting the missing authorization checks. Additional details are available in Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform…

more

an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1114 Email Collection Collection
Adversaries may target user email to collect sensitive information.
Why these techniques?

Authorization bypass in public-facing WordPress plugin directly enables remote exploitation (T1190); overwriting SMTP config facilitates interception of outbound emails including password resets (T1114).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69311Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2026-45438Shared CWE-862
CVE-2025-23477Shared CWE-862
CVE-2025-68834Shared CWE-862
CVE-2026-22663Shared CWE-862
CVE-2024-12544Shared CWE-862
CVE-2024-50967Shared CWE-862
CVE-2025-68059Shared CWE-862
CVE-2025-14070Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations before allowing access to sensitive functions like overwriting SMTP configuration, preventing the authorization bypass.

prevent

Restricts access to mechanisms controlling changes to system configurations, such as the plugin's SMTP settings, blocking unauthorized modifications.

prevent

Limits privileges to only those necessary for tasks, reducing the impact of authorization bypasses on admin functions.

References