How to fix CVE-2025-1488?

Within 30 days: Identify affected systems running for WordPress is vulnerable to Open Redirect in all and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Open Redirect affected by CVE-2025-1488?

Organizations using for WordPress is vulnerable to Open Redirect in all should be aware of moderate risk from CVE-2025-1488 rated CVSS 4.7. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

CVE-2025-1488

MEDIUM

2025-02-24 [email protected]

Microsoft Open Redirect WordPress Microsoft 365 Graph Mailer PHP

4.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:28 vuln.today

Patch Released

Mar 28, 2026 - 18:28 nvd

Patch available

CVE Published

Feb 24, 2025 - 11:15 nvd

MEDIUM 4.7

Description

The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.

Analysis

The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required.

Technical Context

This vulnerability is classified as Open Redirect (CWE-601), which allows attackers to redirect users to malicious websites via URL manipulation. The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured. Affected products include: Wpo365 Microsoft 365 Graph Mailer.

Affected Products

Wpo365 Microsoft 365 Graph Mailer.

Remediation

A vendor patch is available. Apply the latest security update as soon as possible. Validate redirect destinations against an allowlist, avoid using user input in redirect URLs.

CVE-2025-1488 vulnerability details – vuln.today

Back