CVE-2025-28974

| EUVD-2025-17173 HIGH
2025-06-06 [email protected]
7.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17173
CVE Published
Jun 06, 2025 - 13:15 nvd
HIGH 7.1

Tags

CSRF XSS WordPress PHP

Description

Cross-Site Request Forgery (CSRF) vulnerability in mail250 Free WP Mail SMTP allows Stored XSS. This issue affects Free WP Mail SMTP: from n/a through 1.0.

Analysis

CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.

Technical Context

The vulnerability stems from CWE-352 (Cross-Site Request Forgery) combined with stored XSS execution, indicating the plugin fails to validate CSRF tokens on state-changing requests and does not properly sanitize user input before storage and display. The affected product is mail250 Free WP Mail SMTP (CPE likely: cpe:2.3:a:mail250:free_wp_mail_smtp:*:*:*:*:*:wordpress:*:*), a WordPress plugin handling SMTP email configuration. The root cause appears to be insufficient input validation/output encoding in admin settings or mail configuration interfaces, allowing attackers to forge requests that inject JavaScript payloads. The plugin's integration with WordPress admin panels and email handling functions makes the CSRF+XSS chain particularly dangerous—an attacker could trick an authenticated admin into visiting a malicious page, which silently modifies SMTP settings or injects tracking/credential-harvesting code into outgoing emails.

Affected Products

mail250 Free WP Mail SMTP (1.0 and earlier (stated as 'from n/a through 1.0'))

Remediation

Update to patched version > 1.0 (specific version number not provided in source data); notes: Check WordPress plugin repository or vendor advisory for patch release; upgrade immediately via WordPress admin or manual deployment. Workaround (Temporary): Disable mail250 Free WP Mail SMTP plugin until patch available; use alternative SMTP plugin (e.g., WP Mail SMTP Pro, Postman SMTP).; notes: This prevents CSRF/XSS exploitation but sacrifices email functionality until remediation. Mitigation (Defense-in-Depth): Implement Web Application Firewall (WAF) rules to block suspicious requests to /wp-admin/ containing encoded XSS payloads; restrict admin access by IP whitelist; enforce nonce verification in custom code.; notes: Does not fix the vulnerability but reduces attack surface. Monitoring: Monitor WordPress admin audit logs for unauthorized plugin settings modifications; review email SMTP configuration logs for unexpected changes.; notes: Post-compromise detection; does not prevent but enables incident response.

Priority Score

36
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-28974 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy