GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF

The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of SMTP configuration settings. An attacker could leverage this to redirect email traffic, potentially leading to phishing campaigns or denial-of-service scenarios by disrupting legitimate email delivery. While direct remote code execution is not possible, the ability to control email routing can be exploited for various malicious purposes, including data exfiltration or impersonation. The blast radius extends to any users who rely on the GetSimple CMS site for email communication.

Administrators of GetSimple CMS sites using the My SMTP Contact Plugin versions 1.1.1–1.1.1 are at risk. Sites with shared hosting environments or those that haven't implemented robust security practices are particularly vulnerable.

• wordpress / composer / npm:

grep -r 'smtp_host = ' /var/www/html/plugins/my-smtp-contact-plugin/

• generic web:

curl -I https://example.com/plugins/my-smtp-contact-plugin/admin.php | grep -i 'csrf token'

1. 2026-01-21Disclosure

   disclosure

1. Reserviert2026-01-14
2. Veröffentlicht2026-01-21
3. Geändert2026-04-07
4. EPSS aktualisiert2026-03-23

The most effective mitigation is to upgrade to a patched version of the My SMTP Contact Plugin as soon as it becomes available. Until a patch is released, implement strict input validation on all parameters related to SMTP configuration. Consider adding CSRF tokens to all relevant forms and actions within the plugin to prevent unauthorized requests. Web application firewalls (WAFs) can be configured to detect and block suspicious requests exhibiting CSRF patterns. Regularly review SMTP configuration settings for any unexpected changes.