A high-severity vulnerability exists within the Ultimate WP Mail plugin for WordPress, allowing for privilege escalation. An attacker with low-level access to a WordPress site could exploit this flaw to view sensitive email logs, potentially exposing confidential user data, password reset links, or other private communications. This poses a significant risk of a data breach and could lead to further unauthorized actions.

The vulnerability is an improper authorization flaw within the get_email_log_details() function, which is handled via an AJAX action. The function fails to properly verify that the user making the request has sufficient permissions to view email logs. An authenticated attacker, even with low-level privileges (e.g., a subscriber), can send a specially crafted AJAX request directly to this handler to retrieve the contents of email logs, which should be restricted to administrators.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to a significant data breach by exposing sensitive information transmitted via email, such as user registration details, password reset tokens, private messages, and order confirmations. The specific risks to the organization include reputational damage, loss of customer trust, non-compliance with data protection regulations (like GDPR), and the potential for attackers to leverage the exposed information to gain further access to user accounts or other systems.

Immediate Action: Immediately update the Ultimate WP Mail plugin to the latest available version, which contains a patch for this vulnerability. If the plugin is not critical to business operations, consider deactivating and removing it to eliminate the attack surface. Always back up your site before performing updates.

Proactive Monitoring: Monitor web server and WordPress audit logs for suspicious AJAX requests to wp-admin/admin-ajax.php, specifically looking for calls to the get_email_log_details action from non-administrative users. A sudden increase in such requests could indicate attempted or successful exploitation.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block or limit access to the vulnerable AJAX action (get_email_log_details) for users who are not administrators. Additionally, enforce the principle of least privilege by regularly reviewing user roles and capabilities to ensure they only have the access necessary for their function.

Public Exploit Available: false

Given the high severity rating (CVSS 7.5) and the direct risk of sensitive data exposure, we strongly recommend that all organizations using the Ultimate WP Mail plugin prioritize applying the security update immediately. Although there is no evidence of active exploitation at this time, the technical simplicity of the vulnerability means that exploits could be developed quickly. Proactive patching is the most effective defense to prevent potential data breaches and protect organizational and user data.