Platform
wordpress
Component
smtp-mail
Opgelost in
1.3.52
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in photoboxone SMTP Mail, affecting versions from 0.0.0 up to and including 1.3.51. This flaw allows an attacker to trick a logged-in user into unknowingly performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure. The vulnerability was publicly disclosed on December 9, 2025, and a patch is expected to be released by the vendor.
The CSRF vulnerability in photoboxone SMTP Mail allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could involve sending malicious emails, modifying email configurations, or potentially gaining access to sensitive data associated with the user's email account. The attacker would need to craft a malicious request and trick the user into visiting a crafted link or page. Successful exploitation could lead to significant disruption of email services and compromise of user data, particularly if the SMTP Mail plugin is integrated with other critical systems.
The vulnerability is currently considered to have a medium probability of exploitation (based on the CVSS score and the relatively simple nature of CSRF attacks). No public proof-of-concept (PoC) code has been released at the time of this writing, but the ease of crafting CSRF attacks suggests that a PoC could emerge quickly. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the photoboxone SMTP Mail plugin, particularly those with user accounts that have administrative privileges or access to sensitive email data, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to exploitation of others.
• wordpress / composer / npm:
grep -r 'photoboxone SMTP Mail' /var/www/html/wp-content/plugins/
wp plugin list | grep smtp-mail• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/smtp-mail/ | grep Content-Security-Policydisclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-62762 is to upgrade photoboxone SMTP Mail to a version containing the security fix. If upgrading immediately is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include implementing strict Content Security Policy (CSP) headers to restrict the origins from which scripts can be executed, or using nonce-based validation for form submissions. Web Application Firewalls (WAFs) can also be configured to detect and block malicious CSRF requests. Monitor SMTP logs for suspicious activity.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te zoeken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-62762 is a Cross-Site Request Forgery (CSRF) vulnerability affecting photoboxone SMTP Mail versions 0.0.0 through 1.3.51, allowing attackers to perform unauthorized actions.
If you are using photoboxone SMTP Mail version 0.0.0 to 1.3.51 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade photoboxone SMTP Mail to a patched version as soon as it becomes available. Implement temporary workarounds like CSP headers or WAF rules if immediate upgrade is not possible.
There is currently no confirmed active exploitation, but the ease of CSRF attacks suggests potential for exploitation.
Refer to the photoboxone website or WordPress plugin repository for the official advisory and patch release information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.