sendmachine-wp-smtp-auth-bypass

Sendmachine for WordPress auth bypass lets unauthenticated attackers overwrite SMTP, intercept password reset emails — critical data breach risk

What happened

The Sendmachine for WordPress plugin (CVE-2026-6235) contains an authorization bypass in the manage_admin_requests function, according to the advisory. In versions up to and including 1.0.20 an unauthenticated attacker can overwrite the plugin’s SMTP configuration, which can be leveraged to intercept outbound emails, including password reset messages.

The vulnerability is rated 9.8, critical. The advisory does not disclose when the issue was first discovered, or whether active exploitation has been observed, so those details have not been confirmed.

Why this matters to businesses

If you run WordPress sites with the Sendmachine plugin, this is not theoretical trouble, it’s operational risk. Intercepted password resets let attackers take over accounts, access admin consoles and pivot into other systems that trust those email addresses.

Customers, partners and suppliers who rely on email-based recovery or notifications are exposed, your security team will be firefighting access issues, and the board will want answers about detection and remediation. Also, if personal data is exposed through account takeover, you may face breach reporting obligations and regulatory attention.

And while I won’t be preachy, leaving plugins unpatched and treating email delivery as an afterthought is a really bad habit.

If you’ve got the same weakness, here’s what happens next

An attacker who can change your SMTP settings can quietly siphon copies of password resets and other transactional mail to an attacker mailbox. From there account takeover follows a familiar script, which is often slow and quiet, not loud and flashy.

Once accounts are taken, fraud and data exfiltration are possible, trust evaporates, and recovery costs balloon because you must investigate logs, rotate credentials and reassure customers. It’s like someone swapping the postbox lock and reading every delivery before you even notice.

What to do on Monday morning

1. Inventory: find every WordPress site running Sendmachine, note the plugin version, and list hosting and admin contacts.

2. Patch or remove: upgrade the plugin if a fixed release exists, otherwise remove or disable the plugin immediately. If you cannot update, take the site offline or block the plugin endpoints via WAF until fixed.

3. Audit SMTP: check recent changes to SMTP configuration and delivery logs for unusual recipients or relays, and rotate SMTP credentials if there’s any sign of tampering.

4. Assess account risk: look for recent password reset activity, unusual logins or new admin users, and force resets or revoke sessions only where evidence supports it.

5. Harden access: ensure WordPress admin endpoints are limited by IP or MFA, and remove unnecessary admin privileges and shared accounts.

6. Detect and contain: enable or review logging for configuration changes, email delivery and admin POST endpoints, and prepare an incident timeline if you spot anomalies.

7. Supplier check: if third parties manage your sites, confirm they’ve taken the same steps and insist on proof, not promises.

Where ISO standards fit, without the sales pitch

An ISO-aligned information security management system reduces this sort of exposure by forcing repeatable control over change, access and supplier arrangements. Practical elements like formal patch management, privileged account control and change approval would have picked up a plugin that exposes admin actions to unauthenticated users; an ISO 27001 aligned approach can make that stick, see ISO 27001 guidance for how policies and processes map to real fixes.

Baseline technical controls and certification work help too; if you need a straightforward baseline for smaller sites, see IASME for practical options that avoid endless paperwork.

Because email interception ties into user behaviour and social engineering, training and phishing-resistant controls matter; a tested awareness programme such as usecure helps reduce the chance staff act on intercepted or spoofed messages.

All of the above is about reducing likelihood and limiting blast radius, not pretending software never has bugs.

Fix the immediate hole, then make sure it can’t happen at scale again.