CVE-2026-4162: CWE-862 Missing Authorization in RocketGenius Gravity SMTP
CVE-2026-4162 is a high-severity vulnerability in the Gravity SMTP WordPress plugin up to version 2. 1. 4. It involves missing authorization checks that allow authenticated users with subscriber-level access or higher to uninstall, deactivate the plugin, and delete plugin options. The vulnerability can also be exploited via a Cross-Site Request Forgery (CSRF) attack vector. No official patch or remediation guidance is currently provided by the vendor.
AI Analysis
Technical Summary
The Gravity SMTP plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in versions up to 2.1.4. The plugin fails to properly verify that a user is authorized to perform sensitive actions such as uninstalling or deactivating the plugin and deleting plugin options. This flaw allows any authenticated user with subscriber-level privileges or above to perform these actions without proper permission checks. Additionally, the vulnerability is exploitable through a CSRF vector, increasing the risk of unauthorized plugin manipulation. The CVSS 3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, and privileges required at the low level.
Potential Impact
An attacker with subscriber-level access or higher can uninstall or deactivate the Gravity SMTP plugin and delete its options, potentially disrupting email functionality on the affected WordPress site. The lack of proper authorization checks combined with CSRF exploitation means attackers can perform these actions without direct user interaction beyond authentication. This can lead to denial of service of the plugin's functionality and possible configuration loss.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted individuals only and monitor for suspicious activity related to plugin management. Consider disabling the plugin if not essential or applying custom authorization checks as a temporary measure.
CVE-2026-4162: CWE-862 Missing Authorization in RocketGenius Gravity SMTP
Description
CVE-2026-4162 is a high-severity vulnerability in the Gravity SMTP WordPress plugin up to version 2. 1. 4. It involves missing authorization checks that allow authenticated users with subscriber-level access or higher to uninstall, deactivate the plugin, and delete plugin options. The vulnerability can also be exploited via a Cross-Site Request Forgery (CSRF) attack vector. No official patch or remediation guidance is currently provided by the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Gravity SMTP plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in versions up to 2.1.4. The plugin fails to properly verify that a user is authorized to perform sensitive actions such as uninstalling or deactivating the plugin and deleting plugin options. This flaw allows any authenticated user with subscriber-level privileges or above to perform these actions without proper permission checks. Additionally, the vulnerability is exploitable through a CSRF vector, increasing the risk of unauthorized plugin manipulation. The CVSS 3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, and privileges required at the low level.
Potential Impact
An attacker with subscriber-level access or higher can uninstall or deactivate the Gravity SMTP plugin and delete its options, potentially disrupting email functionality on the affected WordPress site. The lack of proper authorization checks combined with CSRF exploitation means attackers can perform these actions without direct user interaction beyond authentication. This can lead to denial of service of the plugin's functionality and possible configuration loss.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted individuals only and monitor for suspicious activity related to plugin management. Consider disabling the plugin if not essential or applying custom authorization checks as a temporary measure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T22:45:31.558Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d8c7f71cc7ad14daa5fce1
Added to database: 4/10/2026, 9:50:47 AM
Last enriched: 4/10/2026, 10:05:45 AM
Last updated: 4/10/2026, 11:12:05 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.