The Ultimate WP Mail plugin for WordPress, versions 1.0.17 through 1.3.6, contains a critical privilege escalation vulnerability identified as CVE-2025-6993. The vulnerability stems from a missing authorization check in the AJAX handler get_email_log_details(), which processes a client-supplied post_id parameter to fetch email log post content. This handler relies solely on the 'edit_posts' capability, which is granted to Contributor-level users and above, but does not restrict access to administrators or verify that the requesting user owns the post. Consequently, an authenticated user with Contributor or higher privileges can access sensitive email logs, including password reset links intended for administrators. By harvesting these reset links, attackers can reset administrator passwords and gain full administrative control over the WordPress site. The vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 7.5, reflecting high severity due to its impact on confidentiality, integrity, and availability. Exploitation requires authentication but no user interaction. No public exploits have been reported yet, but the nature of the flaw makes it a significant risk for sites using the affected plugin versions.

This vulnerability allows authenticated users with relatively low privileges (Contributor and above) to escalate their privileges to administrator by accessing sensitive password reset links. The impact includes full site compromise, enabling attackers to modify content, install malicious plugins or backdoors, steal sensitive data, and disrupt website availability. For organizations, this can lead to data breaches, defacement, loss of customer trust, and potential regulatory penalties. Since WordPress powers a significant portion of the web, and Ultimate WP Mail is used to manage email logs, many sites could be at risk. Attackers exploiting this flaw could pivot to other internal systems if the WordPress site is part of a larger network. The vulnerability affects confidentiality (exposure of reset links), integrity (unauthorized admin access), and availability (potential site disruption).

Organizations should immediately update the Ultimate WP Mail plugin to a patched version once available. Until a patch is released, administrators should restrict plugin usage to trusted users only and consider disabling or restricting access to the get_email_log_details() AJAX handler via custom code or web application firewall (WAF) rules. Implement strict role-based access controls to limit Contributor-level privileges and monitor logs for unusual access patterns to email logs or password reset activities. Additionally, enforce multi-factor authentication (MFA) for administrator accounts to reduce the risk of account takeover via reset links. Regularly audit installed plugins for vulnerabilities and remove unused or unmaintained plugins. Finally, consider isolating WordPress instances and backing up data frequently to enable recovery from compromise.