CVE-2026-4162: CWE-862 Missing Authorization in RocketGenius Gravity SMTP
The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.
AI Analysis
Technical Summary
The Gravity SMTP plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in versions up to and including 2.1.4. This flaw allows authenticated users with low privileges (subscriber-level and above) to perform unauthorized actions such as uninstalling and deactivating the plugin and deleting its options. The vulnerability is also exploitable through CSRF, increasing the risk of unauthorized changes without user interaction. The CVSS 3.1 score of 7.1 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, impacting integrity and availability. There is no vendor advisory or patch available at this time.
Potential Impact
An attacker with subscriber-level access or higher can disrupt the functionality of the Gravity SMTP plugin by uninstalling or deactivating it and deleting its configuration options. This compromises the integrity of the plugin's operation and availability of its services on the affected WordPress site. There is no direct confidentiality impact reported. Exploitation via CSRF means that an attacker could potentially trigger these actions without direct interaction from the victim beyond being authenticated.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access to trusted users only and consider disabling or removing the Gravity SMTP plugin if possible. Monitor for suspicious activity related to plugin management actions. Avoid clicking on untrusted links while authenticated to reduce CSRF risks.
CVE-2026-4162: CWE-862 Missing Authorization in RocketGenius Gravity SMTP
Description
The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Gravity SMTP plugin for WordPress suffers from a Missing Authorization vulnerability (CWE-862) in versions up to and including 2.1.4. This flaw allows authenticated users with low privileges (subscriber-level and above) to perform unauthorized actions such as uninstalling and deactivating the plugin and deleting its options. The vulnerability is also exploitable through CSRF, increasing the risk of unauthorized changes without user interaction. The CVSS 3.1 score of 7.1 reflects a network attack vector with low attack complexity, requiring privileges but no user interaction, impacting integrity and availability. There is no vendor advisory or patch available at this time.
Potential Impact
An attacker with subscriber-level access or higher can disrupt the functionality of the Gravity SMTP plugin by uninstalling or deactivating it and deleting its configuration options. This compromises the integrity of the plugin's operation and availability of its services on the affected WordPress site. There is no direct confidentiality impact reported. Exploitation via CSRF means that an attacker could potentially trigger these actions without direct interaction from the victim beyond being authenticated.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level access to trusted users only and consider disabling or removing the Gravity SMTP plugin if possible. Monitor for suspicious activity related to plugin management actions. Avoid clicking on untrusted links while authenticated to reduce CSRF risks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T22:45:31.558Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d8c7f71cc7ad14daa5fce1
Added to database: 4/10/2026, 9:50:47 AM
Last enriched: 4/17/2026, 12:03:53 PM
Last updated: 5/25/2026, 11:25:53 AM
Views: 107
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.