Skip to main content

Zoho Mail Plugin CVE-2026-8174

| EUVDEUVD-2026-31811 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-26 Zohocorp GHSA-v8jj-mm9h-g7fp
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:19 vuln.today
Patch available
May 26, 2026 - 15:01 EUVD
CVE Published
May 26, 2026 - 11:04 nvd
MEDIUM 5.7

DescriptionCVE.org

Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF).

This issue affects Zoho Mail wordpress plugin versions before 1.6.2.

AnalysisAI

Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site with Zoho Mail plugin <1.6.2
Delivery
Craft malicious HTML page with forged plugin action request
Exploit
Lure authenticated WordPress user to visit page
Execution
Browser auto-submits request with victim session credentials
Persist
Plugin processes forged request without nonce validation
Impact
Attacker-controlled plugin settings applied

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the Zoho Mail plugin installed and active at a version below 1.6.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.7 medium score (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) identifies this as a network-accessible, low-complexity vulnerability with a meaningful real-world constraint: victim interaction (UI:R) is mandatory, meaning exploitation cannot succeed without social engineering a logged-in WordPress user into visiting a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious webpage containing a hidden HTML form or auto-submitting JavaScript that targets a state-changing endpoint in the Zoho Mail WordPress plugin - such as modifying SMTP credentials or mail routing settings. The attacker then lures an authenticated WordPress user (e.g., via phishing or a compromised comment/forum link) to visit the page, causing the victim's browser to silently submit the forged request with their active session cookie, changing plugin configuration without any visible indication to the victim. …
Remediation Upgrade the Zoho Mail WordPress plugin to version 1.6.2 or later, which contains the vendor-released patch for this CSRF vulnerability; the update is available through the WordPress plugin repository at https://wordpress.org/plugins/zoho-mail/#developers and can be applied directly from the WordPress admin dashboard under Plugins > Updates. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8174 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy