{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4162", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T22:45:31.558Z", "datePublished": "2026-04-10T09:25:56.478Z", "dateUpdated": "2026-04-13T15:15:09.053Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T09:25:56.478Z"}, "affected": [{"vendor": "RocketGenius", "product": "Gravity SMTP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector."}], "title": "Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve"}, {"url": "https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "timeline": [{"time": "2026-03-17T17:39:59.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T21:01:07.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:08:52.295268Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:15:09.053Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:08:52.295268Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:11:45.727Z"}}], "cna": {"title": "Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall", "credits": [{"lang": "en", "type": "finder", "value": "Osvaldo Noe Gonzalez Del Rio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"}}], "affected": [{"vendor": "RocketGenius", "product": "Gravity SMTP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T17:39:59.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-09T21:01:07.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve"}, {"url": "https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/"}], "descriptions": [{"lang": "en", "value": "The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T09:25:56.478Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4162", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:15:09.053Z", "dateReserved": "2026-03-13T22:45:31.558Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-10T09:25:56.478Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector."}], "id": "CVE-2026-4162", "lastModified": "2026-04-24T18:00:32.033", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T10:16:04.120", "references": [{"source": "security@wordfence.com", "url": "https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "gravity_smtp", "vendor": "rocketgenius"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T10:20:25.827617+00:00", "value": {"mitigation_remediation": ["Upgrade the Gravity SMTP plugin to version 2.1.5 or later.", "If an upgrade cannot be performed immediately, use a role editor or custom code to revoke uninstall capabilities for subscriber and lower roles.", "Monitor WordPress logs for unexpected plugin uninstall or deactivation events.", "Consider disabling the Uninstall functionality via plugin settings until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized plugin uninstall and configuration loss"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the RocketGenius Gravity SMTP plugin installed in versions 2.1.4 or earlier are vulnerable. Sites running later releases, such as 2.1.5 and above, are not affected.", "description_and_impact": "The Gravity SMTP plugin fails to perform proper authorization checks for uninstall and deactivate actions. As a result, any authenticated user with the subscriber role or higher can remove the plugin, disable its email sending capability, and delete its stored options. The same flaw allows an attacker to trigger the action via a Cross\u2011Site Request Forgery vector, potentially without direct interaction with the victim's browser if a malicious link is visited while the user is logged in.", "risk_and_exploitability": "The base CVSS score of 7.1 indicates a medium\u2011to\u2011high severity vulnerability. An EPSS score is not provided, and the issue is not catalogued by CISA\u2019s KEV list. An attacker can exploit the flaw by logging in with a subscriber or higher account or by sending a crafted CSRF request to a victim who is authenticated. The impact is site\u2011wide loss of outbound email capability and potential loss of configuration settings, affecting the confidentiality and availability of email communications."}}}}, "created": "2026-04-13T12:44:56.854734+00:00", "updated": "2026-04-13T13:06:10.025619+00:00", "vendors": ["rocketgenius", "rocketgenius$PRODUCT$gravity_smtp", "wordpress", "wordpress$PRODUCT$wordpress"]}