CVE-2026-6235
Published: 22 April 2026
Summary
CVE-2026-6235 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations before allowing access to sensitive functions like overwriting SMTP configuration, preventing the authorization bypass.
Restricts access to mechanisms controlling changes to system configurations, such as the plugin's SMTP settings, blocking unauthorized modifications.
Limits privileges to only those necessary for tasks, reducing the impact of authorization bypasses on admin functions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public-facing WordPress plugin directly enables remote exploitation (T1190); overwriting SMTP config facilitates interception of outbound emails including password resets (T1114).
NVD Description
The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform…
more
an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).
Deeper analysisAI
CVE-2026-6235, published on 2026-04-22, is an authorization bypass vulnerability in the Sendmachine for WordPress plugin, affecting all versions up to and including 1.0.20. The issue stems from the 'manage_admin_requests' function, which fails to properly verify user authorization before allowing actions. This flaw, classified under CWE-862, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without user interaction by invoking the flawed function to overwrite the plugin's SMTP configuration. Successful exploitation enables attackers to intercept all outbound emails from the affected WordPress site, including sensitive ones like password reset emails, potentially leading to account takeovers or data exfiltration.
Advisories reference specific code locations in the plugin source, including sendmachine_email_manager.php at line 39, and sendmachine_wp_admin.php at lines 174 and 183, highlighting the missing authorization checks. Additional details are available in Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve.
Details
- CWE(s)