Platform
wordpress
Component
wp-gmail-smtp
Fixed in
1.0.8
A Cross-Site Request Forgery (CSRF) vulnerability exists in the WP Gmail SMTP plugin for WordPress. This flaw allows an attacker to trick authenticated users into performing actions they did not intend to, potentially leading to unauthorized email configuration changes or other malicious activities. The vulnerability affects versions from 0.0 up to and including 1.0.7. A patch is available to resolve this issue.
The CSRF vulnerability in WP Gmail SMTP allows an attacker to craft malicious requests that appear to originate from a legitimate user. If a user is logged into WordPress and visits a crafted link, the attacker can execute actions as that user without their knowledge. This could include modifying SMTP settings, adding or removing email accounts, or potentially gaining access to sensitive email data. The impact is amplified if the plugin is used in environments with shared hosting or where user permissions are not strictly controlled, as an attacker could potentially compromise multiple WordPress installations.
As of the publication date (2025-12-31), there is no indication of active exploitation of CVE-2025-62123. Public proof-of-concept (POC) code is not currently available. The vulnerability has been added to the NVD database and is being tracked by CISA. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62123 is to upgrade the WP Gmail SMTP plugin to a version containing the fix. If upgrading immediately is not possible due to compatibility concerns or breaking changes, consider implementing temporary workarounds such as adding nonce validation to all sensitive plugin actions. Implementing a Web Application Firewall (WAF) with CSRF protection rules can also help to block malicious requests. Regularly review plugin settings and user permissions to ensure they are properly configured.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62123 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Gmail SMTP plugin for WordPress, allowing attackers to perform unauthorized actions.
You are affected if you are using the WP Gmail SMTP plugin in versions 0.0 through 1.0.7. Upgrade to a patched version to resolve the vulnerability.
Upgrade the WP Gmail SMTP plugin to the latest available version. If immediate upgrade is not possible, consider temporary workarounds like nonce validation or a WAF.
As of the publication date, there is no evidence of active exploitation of CVE-2025-62123.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.