CVE-2025-49028

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 09:15 nvd
N/A

Tags

Zoho CSRF XSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.

Analysis

Stored XSS vulnerability in Zoho ZeptoMail transmail WordPress plugin through version 3.3.1 can be triggered via Cross-Site Request Forgery (CSRF), allowing unauthenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of all users who access affected pages. The vulnerability affects the transmail plugin for Zoho Mail integration and carries low exploitation probability (EPSS 0.02%) despite the high-impact nature of stored XSS.

Technical Context

The transmail plugin (CWE-352: Cross-Site Request Forgery) fails to implement adequate CSRF token validation on endpoints that process user input without sufficient sanitization or output encoding. This allows an attacker to craft malicious requests that, when executed by an authenticated administrator or user, inject persistent JavaScript payloads into the plugin's data storage. The vulnerability chains CSRF (lack of state-changing request verification) with stored XSS (insufficient output encoding), enabling script persistence across sessions. The affected product is the WordPress plugin 'transmail' maintained by Zoho, which integrates Zoho Mail services into WordPress environments.

Affected Products

Zoho ZeptoMail transmail WordPress plugin is affected in versions through 3.3.1. The plugin integrates Zoho Mail functionality into WordPress environments and is maintained by Zoho. No higher patched version is confirmed in the provided data, indicating the vulnerability may affect all releases from initial publication through version 3.3.1.

Remediation

Update the transmail plugin to a version beyond 3.3.1 if available from the Zoho plugin repository, or disable the plugin pending a security update from Zoho. Site administrators should verify that CSRF tokens (nonces) are implemented on all state-changing operations within the plugin and that all user input is properly sanitized and output-encoded before rendering in HTML or JavaScript contexts. Review plugin settings and stored data in the WordPress database to detect any existing malicious payloads that may have been injected. Refer to the Patchstack security database (https://patchstack.com/database/Wordpress/Plugin/transmail/) for the latest advisory and patch status updates.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49028 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy