CVE-2025-62123
Lifecycle Timeline
2Description
Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP wp-gmail-smtp allows Cross Site Request Forgery.This issue affects WP Gmail SMTP: from n/a through <= 1.0.7.
Analysis
Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.
Technical Context
This vulnerability stems from inadequate CSRF token validation in the WP Gmail SMTP plugin, a WordPress extension designed to handle SMTP email configuration. The root cause is classified under CWE-352 (Cross-Site Request Forgery), which occurs when the plugin fails to implement or properly validate security tokens (nonces) that protect state-changing operations. WordPress applications process requests based on authenticated sessions, and without proper CSRF protections, an attacker can craft malicious HTML or JavaScript that, when visited by an authenticated admin, triggers unwanted actions such as modifying SMTP credentials, changing email settings, or potentially escalating privileges. The CPE context indicates this is a WordPress plugin vulnerability affecting the wp-gmail-smtp component distributed through the WordPress plugin ecosystem.
Affected Products
inkthemes WP Gmail SMTP plugin for WordPress is affected in all versions from the earliest release through version 1.0.7 inclusive. The vulnerability impacts any WordPress installation with this plugin installed and activated, regardless of WordPress version. Users can identify their installation version through the WordPress plugin management interface, and the vulnerability applies to any configuration using the affected plugin.
Remediation
Update the WP Gmail SMTP plugin to a version newer than 1.0.7 once the vendor releases a patched version. Check the plugin's WordPress repository page or the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/wp-gmail-smtp/vulnerability/wordpress-wp-gmail-smtp-plugin-1-0-7-cross-site-request-forgery-csrf-vulnerability for the latest available version and upgrade instructions. As an interim measure, restrict administrative access to trusted users only and monitor for unauthorized changes to SMTP settings through WordPress audit logs. If the plugin is not actively required for email functionality, consider temporarily disabling it until a patch is confirmed available.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today