Attack Vectors

This Medium-severity vulnerability (CVSS 5.3) affects the WordPress plugin Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App (slug: post-smtp) in versions up to and including 3.8.0.

An attacker must be able to log in to your WordPress site with at least Subscriber access. With that foothold, they can use a crafted URL to trigger a redirect handler and overwrite the site’s Office 365 OAuth mail configuration values (including access token, refresh token, and the associated user email).

Reference: CVE-2026-2559 (source reporting: Wordfence).

Security Weakness

The issue is described as a missing authorization check in the plugin’s handle_office365_oauth_redirect() function. According to the advisory, the function is hooked to admin_init but lacks a current_user_can() capability check and does not verify a nonce. As a result, an authenticated user with low privileges can cause sensitive configuration to be modified when they shouldn’t be able to.

In business terms: this is a permissions/approval failure that allows a basic account to change a critical system integration (your outbound email identity and tokens), without the normal safeguards.

Technical or Business Impacts

Email identity and trust risk: If your Office 365 OAuth settings are overwritten, your site may start sending mail using an attacker-controlled configuration (or fail to send mail at all). That can affect password resets, lead notifications, order confirmations, and other mission-critical messages.

Customer and revenue impact: Disrupted or diverted email can lead to lost leads, missed support requests, delayed sales operations, and damaged sender reputation. For marketing teams, this can undermine campaign performance and deliverability during key periods.

Compliance and audit concerns: Unauthorized changes to email transport settings can complicate incident response and raise questions about access controls, especially if regulated communications or customer data workflows depend on reliable outbound email.

Operational disruption: Even without data theft, the integrity impact is high (the CVSS vector indicates Integrity is impacted). Teams may need to spend time diagnosing “why email broke,” restoring settings, rotating credentials/tokens, and validating that transactional messages are functioning end-to-end.

Remediation: Update Post SMTP to version 3.9.0 or a newer patched version.

Similar Attacks

While not identical, these real-world examples show how third-party software weaknesses can lead to business-impacting compromise or disruption:

CVE-2020-25213 (WP File Manager) — a widely exploited WordPress plugin vulnerability that demonstrated how quickly plugin issues can be weaponized at scale.

CVE-2021-34621 (MailPoet) — a WordPress plugin vulnerability that underscored the risk of attackers leveraging plugin flaws to impact site operations and trust.

Microsoft: Storm-0558 forged token attack — a high-profile incident illustrating the business risk when authentication tokens and identity flows are targeted.