The WP Mail Gateway plugin has a critical authorisation flaw in version 1.8 and earlier. Any authenticated user, including a Subscriber with no special permissions, can modify your site’s email gateway settings. This means redirecting all outgoing mail to an attacker’s server, intercepting password resets, and escalating to administrator access.
The vulnerability
The plugin registers an AJAX action called wmg_save_provider_config without checking user capabilities. When you call this action, the plugin accepts a JSON payload containing SMTP credentials, host, port, and from address, and saves it directly to your WordPress options table. It’s a doozy.
Here’s the vulnerable code:
add_action( 'wp_ajax_wmg_save_provider_config', array( Functions::class, "saveProviderConfigAjax" ) );
public static function saveProviderConfigAjax() {
$postData = $_POST;
$configs = json_decode(stripslashes($postData['configs']), true);
// No capability check here
$existingGatewayConfigs = self::getOptions();
$existingGatewayConfigs['gateway_provider'][$gatewayProvider] = $finalConfigs[$gatewayProvider];
$updatedOptions = self::updateOptions(['gateway_provider' => $existingGatewayConfigs['gateway_provider']]);
wp_send_json_success( [...] );
}The wp_ajax_* hook allows any logged-in user to trigger this. There’s no current_user_can( 'manage_options' ) check. That’s the problem.
The attack
An attacker with Subscriber access (or someone who registers a free account) can craft a POST request to /wp-admin/admin-ajax.php with a malicious SMTP configuration. All outgoing mail now routes through their server.
From there, they request a password reset for an administrator account, intercept the reset email, click the link, set a new password, and log in as admin. Full site compromise in minutes.
Check if you’re affected
You’re vulnerable if you’re running WP Mail Gateway version 1.8 or earlier. Check your plugins page or run:
# Using WP CLI to check your plugin version wp plugin list | grep mail-gateway
If the version is 1.8 or lower, update immediately.
What to do
Update now. Version 1.8.1 and later include the missing capability check.
After updating:
- Review your email gateway settings in the plugin admin panel. Look for unexpected SMTP hosts or credentials.
- Check your WordPress user list for any unauthorised Subscriber or higher-level accounts.
- Force password resets for all administrator accounts.
- Review your email logs (if available) for signs of mail being redirected elsewhere.
If you’re running a managed hosting environment, your host may have logs showing which SMTP server your mail was routed through. Check those.
Why this matters
Email is how WordPress recovers from compromise. If an attacker controls your mail, they control your password resets, account confirmations, and notifications. This vulnerability turns a low-privilege account into a path to full administrative access.
Tools like Vulnz can monitor your plugins and alert you when vulnerabilities like this are disclosed, so you can patch before attackers find them.