CVE-2025-54011: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in SMTP2GO plugin versions up to 1.12.1. The vulnerability was discovered by Ananda Dhakal and was officially published on July 16, 2025, with CVE identifier CVE-2025-54011. The vulnerability affects the WordPress SMTP2GO plugin and is related to broken access control security levels (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-862 (Missing Authorization) and involves broken access control where authorization, authentication, or nonce token checks are missing in certain functions (Patchstack).

The vulnerability could potentially allow an unprivileged user to execute certain higher privileged actions. However, the security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).

The vulnerability has been fixed in version 1.12.2 of the SMTP2GO plugin. Users are advised to update to version 1.12.2 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).