WordPress Plugin Vulnerabilities

Post SMTP < 2.9.12 - Missing Authorization via regenerate_qrcode()

Description

The Post SMTP plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the regenerate_qrcode() function in versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to generate QR codes.

Affects Plugins

Plugin icon
post-smtp
Fixed in 2.9.12

References

CVE
CVE-2025-22800
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/763a7dec-72e3-46d2-a82e-268c577e0289

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
85280ae1-f237-445d-92c3-cfe5685ec419

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-14 (about 1 year ago)
Last Updated
2025-01-14 (about 1 year ago)

Other

Published
Title
Published
2024-12-06
Title
Eyewear prescription form < 4.0.19 - Missing Authorization to Unauthenticated Arbitrary Options Update
Published
2025-10-08
Title
Doppler Forms < 2.6.0 - Subscriber+ Limited Plugin Installation
Published
2026-03-18
Title
Fraud Prevention For WooCommerce and EDD < 2.3.4 - Missing Authorization to Unauthenticated Arbitrary Content Deletion
Published
2025-11-27
Title
The Aisle < 2.9.1 - Missing Authorization
Published
2024-07-08
Title
Product Designer < 1.0.34 - Unauthenticated Arbitrary Attachment Deletion