CVE-2024-6694: The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providi...

Description

The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.

Metrics

CVSS 3.1

2.7/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.57%

43.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-257

References

Timeline

Published: Jul 20, 2024
Last Modified: Jun 17, 2026
Status: Deferred

Frequently Asked Questions

What is CVE-2024-6694?

The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.

How severe is CVE-2024-6694?

CVE-2024-6694 has a CVSS score of 2.7/10 (LOW severity). The EPSS model estimates a 0.57% probability of exploitation in the next 30 days.

How do I fix CVE-2024-6694?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.