Platform
wordpress
Component
smtp-mail
Fixed in
1.3.52
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in photoboxone SMTP Mail, affecting versions from 0.0.0 up to and including 1.3.51. This flaw allows an attacker to trick a logged-in user into unknowingly performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure. The vulnerability was publicly disclosed on December 9, 2025, and a patch is expected to be released by the vendor.
The CSRF vulnerability in photoboxone SMTP Mail allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could involve sending malicious emails, modifying email configurations, or potentially gaining access to sensitive data associated with the user's email account. The attacker would need to craft a malicious request and trick the user into visiting a crafted link or page. Successful exploitation could lead to significant disruption of email services and compromise of user data, particularly if the SMTP Mail plugin is integrated with other critical systems.
The vulnerability is currently considered to have a medium probability of exploitation (based on the CVSS score and the relatively simple nature of CSRF attacks). No public proof-of-concept (PoC) code has been released at the time of this writing, but the ease of crafting CSRF attacks suggests that a PoC could emerge quickly. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-62762 is to upgrade photoboxone SMTP Mail to a version containing the security fix. If upgrading immediately is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include implementing strict Content Security Policy (CSP) headers to restrict the origins from which scripts can be executed, or using nonce-based validation for form submissions. Web Application Firewalls (WAFs) can also be configured to detect and block malicious CSRF requests. Monitor SMTP logs for suspicious activity.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-62762 is a Cross-Site Request Forgery (CSRF) vulnerability affecting photoboxone SMTP Mail versions 0.0.0 through 1.3.51, allowing attackers to perform unauthorized actions.
If you are using photoboxone SMTP Mail version 0.0.0 to 1.3.51 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade photoboxone SMTP Mail to a patched version as soon as it becomes available. Implement temporary workarounds like CSP headers or WAF rules if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the ease of CSRF attacks suggests potential for exploitation.
Refer to the photoboxone website or WordPress plugin repository for the official advisory and patch release information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.