Plattform
wordpress
Komponente
smtp-mail
Behoben in
1.3.52
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in photoboxone SMTP Mail, affecting versions from 0.0.0 up to and including 1.3.51. This flaw allows an attacker to trick a logged-in user into unknowingly performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure. The vulnerability was publicly disclosed on December 9, 2025, and a patch is expected to be released by the vendor.
The CSRF vulnerability in photoboxone SMTP Mail allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could involve sending malicious emails, modifying email configurations, or potentially gaining access to sensitive data associated with the user's email account. The attacker would need to craft a malicious request and trick the user into visiting a crafted link or page. Successful exploitation could lead to significant disruption of email services and compromise of user data, particularly if the SMTP Mail plugin is integrated with other critical systems.
The vulnerability is currently considered to have a medium probability of exploitation (based on the CVSS score and the relatively simple nature of CSRF attacks). No public proof-of-concept (PoC) code has been released at the time of this writing, but the ease of crafting CSRF attacks suggests that a PoC could emerge quickly. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the photoboxone SMTP Mail plugin, particularly those with user accounts that have administrative privileges or access to sensitive email data, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to exploitation of others.
• wordpress / composer / npm:
grep -r 'photoboxone SMTP Mail' /var/www/html/wp-content/plugins/
wp plugin list | grep smtp-mail• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/smtp-mail/ | grep Content-Security-Policydisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-62762 is to upgrade photoboxone SMTP Mail to a version containing the security fix. If upgrading immediately is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include implementing strict Content Security Policy (CSP) headers to restrict the origins from which scripts can be executed, or using nonce-based validation for form submissions. Web Application Firewalls (WAFs) can also be configured to detect and block malicious CSRF requests. Monitor SMTP logs for suspicious activity.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62762 is a Cross-Site Request Forgery (CSRF) vulnerability affecting photoboxone SMTP Mail versions 0.0.0 through 1.3.51, allowing attackers to perform unauthorized actions.
If you are using photoboxone SMTP Mail version 0.0.0 to 1.3.51 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade photoboxone SMTP Mail to a patched version as soon as it becomes available. Implement temporary workarounds like CSP headers or WAF rules if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the ease of CSRF attacks suggests potential for exploitation.
Refer to the photoboxone website or WordPress plugin repository for the official advisory and patch release information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.