The Post SMTP plugin for WordPress, widely used for email deliverability and SMTP management, contains a missing authorization vulnerability identified as CVE-2026-2559. The root cause is the absence of a capability check (current_user_can()) and nonce verification in the handle_office365_oauth_redirect() function, which is triggered during the admin_init hook. This flaw allows any authenticated user with at least Subscriber privileges to craft a URL that modifies the Office 365 OAuth mail configuration options, including sensitive tokens and user email addresses. These configuration options are critical as they are used during the Microsoft365 SMTP setup wizard, which is only available in the Pro version of the plugin. By overwriting these settings, an attacker can cause an administrator to unknowingly connect the plugin to an attacker-controlled Azure application, potentially enabling interception or manipulation of outbound emails. The vulnerability does not impact confidentiality directly but severely compromises integrity by allowing unauthorized changes to email configuration, which could facilitate further attacks such as phishing or data exfiltration. Exploitation requires authenticated access but no user interaction beyond visiting a crafted URL. The vulnerability affects all versions up to 3.8.0, and no patches are currently listed, indicating the need for immediate attention from users of this plugin. No known exploits have been reported in the wild, but the potential impact warrants proactive mitigation.

The primary impact of CVE-2026-2559 is unauthorized modification of critical email configuration settings within WordPress sites using the Post SMTP plugin Pro version. This can lead to attackers redirecting email traffic through their own Azure applications, enabling interception, manipulation, or spoofing of emails sent from the affected site. Such control over email delivery can facilitate phishing attacks, data leakage, and loss of trust in organizational communications. While the vulnerability does not directly expose confidential data, it undermines the integrity of email systems, which are often used for sensitive communications and authentication workflows. Organizations relying on Microsoft365 SMTP through this plugin are at risk of having their email infrastructure compromised, potentially impacting business operations, compliance, and reputation. The requirement for authenticated access limits exposure to insiders or compromised accounts but does not eliminate risk, as Subscriber-level accounts are common in WordPress environments. The absence of known exploits suggests limited current exploitation, but the vulnerability's nature makes it a valuable target for attackers seeking persistent access or lateral movement within compromised environments.

To mitigate CVE-2026-2559, organizations should immediately restrict Subscriber-level user capabilities to the minimum necessary, reducing the risk of unauthorized configuration changes. Administrators should audit existing user roles and remove or downgrade unnecessary accounts with elevated privileges. Until an official patch is released, consider disabling or uninstalling the Post SMTP plugin Pro version if feasible. If continued use is necessary, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the handle_office365_oauth_redirect() endpoint, especially those attempting to modify OAuth configurations via crafted URLs. Monitoring WordPress logs for unusual admin_init hook activity or unexpected configuration changes can provide early detection of exploitation attempts. Additionally, educate administrators to verify OAuth application details during setup to detect potential attacker-controlled Azure app connections. Once a patch becomes available, apply it promptly. Finally, consider implementing multi-factor authentication (MFA) for WordPress accounts to reduce the risk of account compromise that could lead to exploitation.