CVE-2025-6993
📋 TL;DR
The Ultimate WP Mail WordPress plugin versions 1.0.17 to 1.3.6 contain a privilege escalation vulnerability where authenticated users with Contributor-level access or higher can access password reset links intended for administrators. This allows attackers to elevate their privileges to administrator level. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Ultimate WP Mail WordPress Plugin
📦 What is this software?
Ultimate Wp Mail by Rustaurius
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where an attacker gains administrator access, installs backdoors, steals sensitive data, defaces the site, or uses it for further attacks.
Likely Case
Attacker gains administrator privileges, modifies site content, installs malicious plugins/themes, or accesses sensitive user data.
If Mitigated
Limited impact if proper access controls, monitoring, and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.7
Vendor Advisory: https://wordpress.org/plugins/ultimate-wp-mail/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ultimate WP Mail plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.3.7+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Ultimate WP Mail plugin until patched.
wp plugin deactivate ultimate-wp-mail
Restrict user roles
allLimit users with Contributor role or higher to trusted individuals only.
🧯 If You Can't Patch
- Remove Contributor and higher roles from untrusted users
- Implement web application firewall rules to block suspicious AJAX requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Ultimate WP Mail → Version. If between 1.0.17 and 1.3.6 inclusive, vulnerable.Check Version:
wp plugin get ultimate-wp-mail --field=versionVerify Fix Applied:
Confirm plugin version is 1.3.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to admin-ajax.php with action=get_email_log_details from non-admin users
- Multiple failed login attempts followed by successful Contributor/Author login
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=get_email_log_details parameter
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "get_email_log_details" AND NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/ultimate-wp-mail/tags/1.3.6/includes/Ajax.class.php
- https://plugins.trac.wordpress.org/changeset/3328277
- https://wordpress.org/plugins/ultimate-wp-mail/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b19794de-b623-4017-bd91-73986383c58b?source=cve
