Platform
wordpress
Component
sendmachine
Fixed in
1.0.21
1.0.21
CVE-2026-6235 is a privilege escalation vulnerability affecting the Sendmachine for WordPress plugin. An unauthenticated attacker can exploit this flaw to modify the plugin's SMTP configuration, potentially leading to email interception and other malicious actions. This vulnerability impacts versions of Sendmachine for WordPress up to and including 1.0.20. A patch is available; upgrading is the recommended remediation.
The primary impact of CVE-2026-6235 is the ability for an unauthenticated attacker to intercept all outbound emails sent by a WordPress site using the Sendmachine plugin. This includes sensitive information like password reset emails, order confirmations, and potentially other confidential data. Successful exploitation allows attackers to potentially perform account takeover by intercepting password reset links. The attacker could also use the compromised SMTP configuration to send phishing emails appearing to originate from the legitimate domain, further expanding the attack surface. This vulnerability shares similarities with other authorization bypass flaws where improper access controls allow unauthorized actions.
CVE-2026-6235 was published on 2026-04-21. The vulnerability's severity is rated as CRITICAL (CVSS 9.8). Currently, there are no publicly known active campaigns exploiting this specific vulnerability. The lack of a fixed version makes it difficult to assess the current exploitation probability, but the ease of exploitation suggests a potential for future exploitation. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-6235 is to upgrade the Sendmachine for WordPress plugin to a patched version. Unfortunately, the specific fixed version is not provided. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider temporarily disabling the Sendmachine plugin to prevent further exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block unauthorized modifications to the plugin's configuration files could offer some protection. Monitor WordPress logs for suspicious activity related to SMTP configuration changes.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6235 is a critical vulnerability in Sendmachine for WordPress versions up to 1.0.20 allowing unauthenticated attackers to modify SMTP configurations and intercept emails.
You are affected if you are using Sendmachine for WordPress version 1.0.20 or earlier. Check your plugin version immediately.
Upgrade to the latest available version of Sendmachine for WordPress. If upgrading is not possible, temporarily disable the plugin.
Currently, there are no publicly known active campaigns exploiting this vulnerability, but the ease of exploitation suggests a potential for future attacks.
Refer to the WordPress plugin repository and Sendmachine's official website for updates and advisories related to CVE-2026-6235.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.