CVE-2026-6235

Daily digests

The Sendmachine for WordPress plugin doesn't check whether the caller is actually authorized when handling admin requests. An unauthenticated attacker can overwrite your SMTP configuration, rerouting all outbound email through a server they control. That includes password reset emails, which means full site takeover is one "forgot password" click away.

• Daily Digest · Apr 22, 2026

  AVideo CVSS 10 + Firefox DOM bypass, 5 critical fixes