CVE-2025-6993 is a high-severity privilege escalation vulnerability affecting the Ultimate WP Mail plugin for WordPress, specifically versions 1.0.17 through 1.3.6. The vulnerability arises from improper authorization checks in the AJAX handler get_email_log_details(). This handler accepts a client-supplied post_id parameter and retrieves the corresponding email log post content, which includes sensitive information such as password-reset links. The authorization mechanism only verifies if the user has the 'edit_posts' capability, which is granted to Contributor-level users and above, but it does not restrict access to administrators nor validate ownership of the email log entries. Consequently, an authenticated user with Contributor or higher privileges can exploit this flaw to access an administrator's password-reset link. By leveraging this link, the attacker can reset the administrator's password and escalate their privileges to administrator level, gaining full control over the WordPress site. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 7.5, indicating high severity. The attack vector is network-based with high attack complexity, requiring low privileges and no user interaction. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it a significant risk for WordPress sites using this plugin. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation measures.

For European organizations relying on WordPress websites with the Ultimate WP Mail plugin installed, this vulnerability poses a critical risk to site integrity and confidentiality. Successful exploitation allows attackers with relatively low privileges to gain full administrative control, enabling them to manipulate site content, deploy malicious code, steal sensitive data, or disrupt services. This can lead to reputational damage, data breaches involving personal or financial information, and potential regulatory non-compliance under GDPR due to unauthorized access and data exposure. The ability to hijack administrator accounts also increases the risk of persistent backdoors and further lateral movement within the organization's web infrastructure. Given the widespread use of WordPress across European businesses, government agencies, and non-profits, the vulnerability could have broad implications, particularly for entities with Contributor-level user roles assigned to multiple users or external collaborators. The exposure of password-reset links further exacerbates the risk by simplifying privilege escalation without requiring complex exploitation techniques.

European organizations should immediately audit their WordPress installations to identify the presence and version of the Ultimate WP Mail plugin. If affected versions (1.0.17 to 1.3.6) are detected, organizations should consider the following specific mitigation steps: 1) Temporarily disable or uninstall the Ultimate WP Mail plugin until a security patch is released. 2) Restrict Contributor and other lower-privilege user roles from accessing the WordPress admin dashboard or AJAX endpoints related to email logs by implementing custom role capabilities or access control plugins. 3) Monitor and review user activity logs for suspicious access patterns, especially any attempts to access email logs or password-reset links. 4) Enforce multi-factor authentication (MFA) for all administrator accounts to reduce the impact of compromised credentials. 5) Regularly back up WordPress sites and database to enable rapid recovery in case of compromise. 6) Stay informed about vendor updates and apply patches promptly once available. 7) Consider implementing Web Application Firewalls (WAF) with rules to detect and block unauthorized AJAX requests targeting the vulnerable handler. These targeted actions go beyond generic advice by focusing on immediate risk reduction and monitoring tailored to the vulnerability's exploitation vector.