Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF).
This issue affects Zoho Mail wordpress plugin versions before 1.6.2.
AnalysisAI
Cross-site request forgery in the Zoho Mail WordPress plugin (all versions before 1.6.2) enables a remote attacker to perform unauthorized, integrity-impacting actions on behalf of an authenticated WordPress user without their knowledge. The CVSS 5.7 medium score reflects high integrity impact with no confidentiality or availability exposure, requiring low-privilege victim authentication and user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the Zoho Mail plugin installed and active at a version below 1.6.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.7 medium score (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) identifies this as a network-accessible, low-complexity vulnerability with a meaningful real-world constraint: victim interaction (UI:R) is mandatory, meaning exploitation cannot succeed without social engineering a logged-in WordPress user into visiting a malicious page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious webpage containing a hidden HTML form or auto-submitting JavaScript that targets a state-changing endpoint in the Zoho Mail WordPress plugin - such as modifying SMTP credentials or mail routing settings. The attacker then lures an authenticated WordPress user (e.g., via phishing or a compromised comment/forum link) to visit the page, causing the victim's browser to silently submit the forged request with their active session cookie, changing plugin configuration without any visible indication to the victim. … |
| Remediation | Upgrade the Zoho Mail WordPress plugin to version 1.6.2 or later, which contains the vendor-released patch for this CSRF vulnerability; the update is available through the WordPress plugin repository at https://wordpress.org/plugins/zoho-mail/#developers and can be applied directly from the WordPress admin dashboard under Plugins > Updates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, ex
Account takeover in ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus is possib
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior contain an authenticated SQL injection vulnerability in the a
CVE-2025-36528 is an authenticated SQL injection vulnerability in Zohocorp ManageEngine ADAudit Plus versions 8510 and e
A SQL injection vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.
Authenticated remote code execution affects Zoho ManageEngine ADSelfService Plus (before build 6525), DataSecurity Plus
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31811
GHSA-v8jj-mm9h-g7fp