CVE-2025-6993— Ultimate WP Mail 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-6993
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ultimate WP Mail 1.0.17 - 1.3.6 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation via get_email_log_details Function
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the get_email_log_details() AJAX handler in versions 1.0.17 to 1.3.6. The handler reads the client-supplied post_id and retrieves the corresponding email log post content (including the password-reset link), relying only on the ‘edit_posts’ capability without restricting to administrators or validating ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to harvest an admin’s reset link and elevate their privileges to administrator.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress plugin Ultimate WP Mail 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Ultimate WP Mail 1.0.17至1.3.6版本存在安全漏洞,该漏洞源于get_email_log_details函数授权不当,可能导致权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| rustaurius | Ultimate WP Mail | 1.0.17 ~ 1.3.6 | - |
II. Public POCs for CVE-2025-6993
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-6993
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Ultimate WP Mail
- CVE-2025-53454
WordPress Ultimate WP Mail Plugin <= 1.3.8 - Cross Site Scri - CVE-2025-49288
WordPress Ultimate WP Mail plugin <= 1.3.5 - Account Takeove - CVE-2025-47490
WordPress Ultimate WP Mail plugin <= 1.3.4 - SQL Injection V - CVE-2025-47466
WordPress Ultimate WP Mail plugin <= 1.3.4 - Cross Site Requ - CVE-2025-32694
WordPress Ultimate WP Mail plugin <= 1.3.10 - Open Redirecti
Same vendor: rustaurius
- CVE-2026-6498
Five Star Restaurant Reservations <= 2.7.16 - Unauthenticate - CVE-2026-4336
Ultimate FAQ Accordion Plugin <= 2.4.7 - Authenticated (Auth - CVE-2026-39602
WordPress Order Tracking plugin <= 3.4.3 - Broken Access Con - CVE-2026-25327
WordPress Five Star Restaurant Reservations plugin <= 2.7.9 - CVE-2026-24634
WordPress Ultimate Reviews plugin <= 3.2.16 - Insecure Direc
Same weakness: CWE-862
- CVE-2021-47932
WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthen - CVE-2025-15634
HCL BigFix WebUI is affected by a missing authorization vuln - CVE-2026-42297
Argo Workflows Is Missing Authorization in Sync ConfigMap Pr - CVE-2026-42174
Kirby: User avatar creation, replacement and deletion are no - CVE-2026-42137
Kirby: `pages.access/list` and `files.access/list` permissio
V. Comments for CVE-2025-6993
No comments yet