Vulnerabilities and security researches forsendmachine sendmachine

Apr 24, 2026

CVE, Research URL: CVE-2026-6235
Home page URL: Security reports for Sendmachine for WordPress
Application: Sendmachine for WordPress
Date: Apr 22, 2026
Research Description: The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).
Affected versions: max 2.0.0.
Status: vulnerable