Skip to main content
CVE Vulnerability Database

CVE-2025-6993: Ultimate WP Mail Privilege Escalation Flaw

CVE-2025-6993 is a privilege escalation vulnerability in the Ultimate WP Mail plugin for WordPress, allowing Contributor-level attackers to harvest admin password-reset links. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6993 Overview

CVE-2025-6993 affects the Ultimate WP Mail plugin for WordPress, developed by Rustaurius. The flaw resides in the get_email_log_details() AJAX handler and stems from missing authorization checks [CWE-862]. Versions 1.0.17 through 1.3.6 are affected. Authenticated users with Contributor-level access or higher can read arbitrary email log post content, including administrator password-reset links. An attacker who harvests a reset link can take over the administrator account and escalate privileges across the entire WordPress site.

Critical Impact

Contributor-level WordPress users can read administrator password-reset emails through the vulnerable AJAX handler and seize full administrator control of the site.

Affected Products

  • Rustaurius Ultimate WP Mail plugin versions 1.0.17 through 1.3.6
  • WordPress installations with the plugin active and Contributor (or higher) accounts provisioned
  • Sites using the plugin to log password-reset notifications

Discovery Timeline

  • 2025-07-16 - CVE-2025-6993 published to the National Vulnerability Database (NVD)
  • 2025-08-02 - Last updated in NVD database

Technical Details for CVE-2025-6993

Vulnerability Analysis

The vulnerability is a missing-authorization flaw in the get_email_log_details() AJAX endpoint registered by the Ultimate WP Mail plugin. The handler accepts a client-supplied post_id parameter and returns the corresponding email log post content. Email logs frequently contain sensitive material such as password-reset URLs, account notifications, and form submissions. Because the handler returns this content verbatim to the caller, any authenticated user permitted to invoke the endpoint can read messages addressed to other site users, including administrators.

Root Cause

The handler enforces only the generic edit_posts capability before returning email log details. WordPress grants edit_posts to Contributors, Authors, Editors, and Administrators by default. The code does not verify that the requesting user owns the requested log, that the user holds an administrative role, or that the requested post_id corresponds to a resource the caller is entitled to read. This violates the principle of least privilege and breaks the authorization boundary between low-privileged content authors and the site administrator.

Attack Vector

An attacker first obtains Contributor-level credentials, typically through self-registration on sites that allow it or through credential reuse. The attacker then triggers a WordPress password reset for an administrator account so that the reset email is captured in the plugin's log. Next, the attacker iterates post_id values and calls the get_email_log_details AJAX action with a valid nonce. The response includes the password-reset link addressed to the administrator. Submitting that link to wp-login.php?action=rp lets the attacker set a new administrator password and log in with full privileges.

No verified public exploit code is available. See the Wordfence Vulnerability Report and the WordPress Plugin File for the vulnerable handler source.

Detection Methods for CVE-2025-6993

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php with action=get_email_log_details originating from low-privileged user sessions
  • Sequential or enumerated post_id values submitted to the AJAX endpoint within short time windows
  • Password-reset events for administrator accounts immediately followed by administrator logins from new IP addresses or user agents
  • Unexpected role changes, new administrator account creation, or plugin installations following a Contributor session

Detection Strategies

  • Review web server and WordPress logs for requests targeting the get_email_log_details AJAX action from non-administrator sessions
  • Correlate retrieve_password events in WordPress with subsequent administrator password changes
  • Audit Ultimate WP Mail plugin versions across the estate and flag any installation between 1.0.17 and 1.3.6

Monitoring Recommendations

  • Forward WordPress access logs and authentication events to a centralized log platform for retention and correlation
  • Alert on administrator role assignments and password changes that occur outside change-management windows
  • Monitor for installation of new plugins or themes by accounts that recently escalated to administrator

How to Mitigate CVE-2025-6993

Immediate Actions Required

  • Update Ultimate WP Mail to a version newer than 1.3.6 that includes the WordPress Changeset Update fix
  • Audit existing WordPress accounts and remove unused or untrusted Contributor, Author, and Editor users
  • Force a password reset for all administrator accounts and rotate associated API keys and application passwords
  • Review email logs for any password-reset messages and invalidate links that may have been exposed

Patch Information

The vendor addressed the issue in the changeset published at plugins.trac.wordpress.org/changeset/3328277. Site operators should upgrade to the patched release available on the WordPress plugin page. The fix introduces an administrator capability check inside the get_email_log_details() handler.

Workarounds

  • Deactivate and remove the Ultimate WP Mail plugin until the patched version can be deployed
  • Disable open user registration and restrict the edit_posts capability where business requirements allow
  • Add a web application firewall rule that blocks admin-ajax.php requests with action=get_email_log_details from non-administrator sessions
bash
# Example WP-CLI commands to verify plugin version and remove if vulnerable
wp plugin get ultimate-wp-mail --field=version
wp plugin deactivate ultimate-wp-mail
wp plugin update ultimate-wp-mail

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.