MEDIUMCVE-2025-62762CVSS 4.3

WordPress SMTP Mail 插件 <= 1.3.51 - 跨站请求伪造 (CSRF) 漏洞

Q: What is CVE-2025-62762 — CSRF in photoboxone SMTP Mail?

CVE-2025-62762 is a Cross-Site Request Forgery (CSRF) vulnerability affecting photoboxone SMTP Mail versions 0.0.0 through 1.3.51, allowing attackers to perform unauthorized actions.

Q: Am I affected by CVE-2025-62762 in photoboxone SMTP Mail?

If you are using photoboxone SMTP Mail version 0.0.0 to 1.3.51 on your WordPress site, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2025-62762 in photoboxone SMTP Mail?

Upgrade photoboxone SMTP Mail to a patched version as soon as it becomes available. Implement temporary workarounds like CSP headers or WAF rules if immediate upgrade is not possible.

Q: Is CVE-2025-62762 being actively exploited?

There is currently no confirmed active exploitation, but the ease of CSRF attacks suggests potential for exploitation.

Q: Where can I find the official photoboxone advisory for CVE-2025-62762?

Refer to the photoboxone website or WordPress plugin repository for the official advisory and patch release information.

平台

wordpress

组件

smtp-mail

修复版本

1.3.52

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in photoboxone SMTP Mail, affecting versions from 0.0.0 up to and including 1.3.51. This flaw allows an attacker to trick a logged-in user into unknowingly performing actions they didn't intend, potentially leading to unauthorized modifications or data exposure. The vulnerability was publicly disclosed on December 9, 2025, and a patch is expected to be released by the vendor.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The CSRF vulnerability in photoboxone SMTP Mail allows an attacker to execute actions on behalf of an authenticated user without their knowledge or consent. This could involve sending malicious emails, modifying email configurations, or potentially gaining access to sensitive data associated with the user's email account. The attacker would need to craft a malicious request and trick the user into visiting a crafted link or page. Successful exploitation could lead to significant disruption of email services and compromise of user data, particularly if the SMTP Mail plugin is integrated with other critical systems.

利用背景翻译中…

The vulnerability is currently considered to have a medium probability of exploitation (based on the CVSS score and the relatively simple nature of CSRF attacks). No public proof-of-concept (PoC) code has been released at the time of this writing, but the ease of crafting CSRF attacks suggests that a PoC could emerge quickly. It is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

WordPress websites utilizing the photoboxone SMTP Mail plugin, particularly those with user accounts that have administrative privileges or access to sensitive email data, are at risk. Shared hosting environments where multiple websites share the same server resources are also potentially vulnerable, as a compromise of one site could lead to exploitation of others.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'photoboxone SMTP Mail' /var/www/html/wp-content/plugins/
wp plugin list | grep smtp-mail

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/smtp-mail/ | grep Content-Security-Policy

攻击时间线

2025-12-09Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

EPSS

0.02% (5% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响partial

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 低 — 攻击者可修改部分数据，影响有限。
Availability: 无 — 无可用性影响。

受影响的软件

组件smtp-mail

供应商wordfence

影响范围修复版本

0.0.0 – 1.3.511.3.52

弱点分类 (CWE)

CWE-352

时间线

已保留2025-10-21
发布日期2025-12-09
修改日期2026-04-28
EPSS 更新日期2026-03-23

未修复 — 披露已166天

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-62762 is to upgrade photoboxone SMTP Mail to a version containing the security fix. If upgrading immediately is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include implementing strict Content Security Policy (CSP) headers to restrict the origins from which scripts can be executed, or using nonce-based validation for form submissions. Web Application Firewalls (WAFs) can also be configured to detect and block malicious CSRF requests. Monitor SMTP logs for suspicious activity.

修复方法

没有已知的补丁可用。请深入审查漏洞的详细信息，并根据您组织的风险承受能力采取缓解措施。最好卸载受影响的软件并寻找替代方案。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-62762 — CSRF in photoboxone SMTP Mail?

CVE-2025-62762 is a Cross-Site Request Forgery (CSRF) vulnerability affecting photoboxone SMTP Mail versions 0.0.0 through 1.3.51, allowing attackers to perform unauthorized actions.

Am I affected by CVE-2025-62762 in photoboxone SMTP Mail?

If you are using photoboxone SMTP Mail version 0.0.0 to 1.3.51 on your WordPress site, you are potentially affected by this vulnerability.

How do I fix CVE-2025-62762 in photoboxone SMTP Mail?

Upgrade photoboxone SMTP Mail to a patched version as soon as it becomes available. Implement temporary workarounds like CSP headers or WAF rules if immediate upgrade is not possible.

Is CVE-2025-62762 being actively exploited?

There is currently no confirmed active exploitation, but the ease of CSRF attacks suggests potential for exploitation.

Where can I find the official photoboxone advisory for CVE-2025-62762?

Refer to the photoboxone website or WordPress plugin repository for the official advisory and patch release information.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE