CVE-2024-6694: CWE-257 Storing Passwords in a Recoverable Format in smub WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin
The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.
AI Analysis
Technical Summary
CVE-2024-6694 affects the WP Mail SMTP plugin by WPForms, where the SMTP password is displayed in plain text within the plugin's settings page for all versions up to 4.0.1. This allows any authenticated user with administrative-level access or higher to retrieve the SMTP password. The vulnerability is categorized under CWE-257, indicating improper storage or exposure of passwords in a recoverable format. The issue does not affect users without high privileges and does not impact confidentiality beyond the SMTP password exposure. There are no known exploits in the wild, and the CVSS v3.1 base score is 2.7, indicating low severity.
Potential Impact
An attacker who has already obtained administrative-level access to a WordPress site with the vulnerable plugin can view the SMTP password in plain text. This could potentially allow further misuse of the SMTP credentials if the attacker leverages them outside the WordPress environment. However, since administrative access is required to exploit this vulnerability, the impact is limited to scenarios where the attacker already has significant control over the site.
Mitigation Recommendations
No official patch or fix is currently referenced in the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrative access to trusted users only and monitor for any unauthorized access. Consider removing or disabling the plugin if SMTP password exposure is a concern. Follow up with the vendor or WPForms for updates regarding a security patch.
CVE-2024-6694: CWE-257 Storing Passwords in a Recoverable Format in smub WP Mail SMTP by WPForms – The Most Popular SMTP and Email Log Plugin
Description
The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-6694 affects the WP Mail SMTP plugin by WPForms, where the SMTP password is displayed in plain text within the plugin's settings page for all versions up to 4.0.1. This allows any authenticated user with administrative-level access or higher to retrieve the SMTP password. The vulnerability is categorized under CWE-257, indicating improper storage or exposure of passwords in a recoverable format. The issue does not affect users without high privileges and does not impact confidentiality beyond the SMTP password exposure. There are no known exploits in the wild, and the CVSS v3.1 base score is 2.7, indicating low severity.
Potential Impact
An attacker who has already obtained administrative-level access to a WordPress site with the vulnerable plugin can view the SMTP password in plain text. This could potentially allow further misuse of the SMTP credentials if the attacker leverages them outside the WordPress environment. However, since administrative access is required to exploit this vulnerability, the impact is limited to scenarios where the attacker already has significant control over the site.
Mitigation Recommendations
No official patch or fix is currently referenced in the provided data. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict administrative access to trusted users only and monitor for any unauthorized access. Consider removing or disabling the plugin if SMTP password exposure is a concern. Follow up with the vendor or WPForms for updates regarding a security patch.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-11T15:06:41.104Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c0ab7ef31ef0b55f4a7
Added to database: 2/25/2026, 9:39:22 PM
Last enriched: 4/9/2026, 8:20:54 PM
Last updated: 4/12/2026, 4:23:21 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.