Anyone with a free account on your WordPress site — a newsletter subscriber, a forum member, a customer — could silently take over your entire website, and you'd never see them coming.
Who's at Risk and How Bad Is This?
If your WordPress site uses the WP Mail Gateway plugin and has any user registration enabled — even something as routine as a WooCommerce shop account or a basic membership form — you are potentially exposed right now. The plugin is used across thousands of WordPress installations worldwide to manage how the site sends email. WordPress powers roughly 43% of all websites on the internet, and plugins like this one are the connective tissue holding those sites together. A flaw here isn't a niche problem — it's a wide-open door in one of the most commonly attacked surfaces on the web.
The vulnerability is rated 8.8 out of 10 (HIGH) on the industry-standard severity scale, meaning security teams categorize this as something requiring urgent attention, not something to schedule for next quarter's patch cycle.
Here's What an Attacker Actually Does
Imagine you run an online store. You've set things up so customers can create accounts to track their orders — totally normal. Now imagine one of those customers has quietly decided they want to own your entire website. Under normal circumstances, they'd be stuck. They're just a regular customer account with no special powers. But with this flaw, they have a hidden backdoor.
That customer visits a special behind-the-scenes web address on your site — one that WordPress uses internally to handle quick tasks — and sends a crafted request that reconfigures where your website sends its emails. Instead of emails going out through your legitimate mail server, they now get quietly copied or rerouted through a server the attacker controls. Your site looks completely normal. Nothing appears broken. But now the attacker owns your outbox.
Here's where it gets devastating: the attacker then goes to your login page and clicks "Forgot my password?" for your administrator account. Your site dutifully fires off a password reset link — straight into the attacker's trap. They receive the reset email, click the link, set a new admin password, and log in with full control. They can install malicious software, steal customer data, deface your site, lock you out entirely, or silently use your site to attack others. The whole operation can take under five minutes, and at no point did they need to do anything technically sophisticated.
The Technical Detail That Makes This Exploitable
For security researchers and developers, the root cause here is a missing capability check on the wmg_save_provider_config AJAX action — a classic WordPress plugin vulnerability class. In WordPress's permission architecture, AJAX actions that modify sensitive settings are supposed to verify that the requesting user holds appropriate privileges before executing. In WP Mail Gateway versions up to and including 1.8, this verification step is simply absent. Any authenticated user — regardless of role, including the lowest-privilege "Subscriber" role — can invoke this action and overwrite SMTP configuration values. This is a textbook privilege escalation via SMTP hijacking, and it's the kind of flaw that automated vulnerability scanners will eventually fingerprint and weaponize at scale.
Has Anyone Been Attacked Yet?
As of publication, no active exploitation has been confirmed in the wild. There are no known victim campaigns tied to this CVE at this time. However, that status can change rapidly once a vulnerability is publicly documented — researchers and malicious actors alike index these disclosures, and the low barrier to exploitation here (you only need a subscriber account, not any special hacking tools) means opportunistic attacks could emerge quickly. The window between "disclosed" and "actively exploited" for WordPress plugin flaws has historically been measured in days, not months. Security teams should treat this as urgent.
The vulnerability was assigned CVE-2026-6963 and carries a CVSS score of 8.8. Wordfence, which maintains one of the largest WordPress vulnerability databases, flagged this issue as part of ongoing plugin security research.
What You Need to Do Right Now
The good news: fixing this is straightforward if you act today.
- Update WP Mail Gateway immediately. Log into your WordPress dashboard, go to Plugins → Installed Plugins, find WP Mail Gateway, and update it to any version above 1.8. If no patched version is yet available in the repository, deactivate the plugin entirely until one is released — a site that sends email slowly is better than a site that gets taken over.
- Audit your user accounts right now. Go to Users → All Users in your WordPress dashboard and look for any accounts you don't recognize, or subscriber-level accounts that seem out of place. Check the "Last Login" timestamps if your security plugin tracks them. Revoke or delete any accounts that look suspicious before an attacker has a chance to use this vulnerability.
- Install a WordPress firewall plugin and enable SMTP logging. Tools like Wordfence (free tier available) or Solid Security can block unauthorized AJAX requests and alert you to suspicious activity. Separately, verify your current SMTP settings in WP Mail Gateway or your mail configuration right now — if anything looks unfamiliar, assume compromise, reset your credentials, and rotate your admin password immediately using a trusted, unaffected device.
Bottom line: This vulnerability asks very little of an attacker and offers them everything. A patched plugin, a clean user list, and a firewall are all that stand between your site and a complete takeover. Don't wait on this one.