CVE-2025-28974
📋 TL;DR
A Cross-Site Request Forgery (CSRF) vulnerability in the Free WP Mail SMTP WordPress plugin allows attackers to perform unauthorized actions on behalf of authenticated administrators. When exploited, this CSRF vulnerability can lead to Stored Cross-Site Scripting (XSS), enabling attackers to inject malicious scripts into the WordPress site. This affects all WordPress sites using Free WP Mail SMTP plugin versions up to 1.0.
💻 Affected Systems
- Free WP Mail SMTP WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that steals administrator credentials, hijacks sessions, defaces websites, or installs backdoors, potentially leading to complete site compromise.
Likely Case
Attackers trick administrators into clicking malicious links that modify plugin settings or inject malicious scripts, leading to credential theft or site defacement.
If Mitigated
With proper CSRF tokens and input validation, the vulnerability would be prevented, and only authenticated users could perform legitimate actions.
🎯 Exploit Status
Exploitation requires tricking authenticated administrators into clicking malicious links or visiting compromised sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Free WP Mail SMTP' and check if update is available. 4. Click 'Update Now' if update is available. 5. Verify plugin version is 1.0.1 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Free WP Mail SMTP plugin until patched
wp plugin deactivate free-wp-mail-smtp
Implement CSRF protection
allAdd custom CSRF tokens to WordPress forms using security plugins
🧯 If You Can't Patch
- Restrict plugin access to trusted administrators only
- Implement web application firewall (WAF) rules to block CSRF attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Free WP Mail SMTP versionCheck Version:
wp plugin get free-wp-mail-smtp --field=versionVerify Fix Applied:
Verify plugin version is 1.0.1 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/admin.php?page=free-wp-mail-smtp
- Multiple failed CSRF token validations
Network Indicators:
- Suspicious referrer headers in requests to admin endpoints
- Unexpected cross-origin requests to plugin admin pages
SIEM Query:
source="wordpress.log" AND ("free-wp-mail-smtp" OR "admin.php?page=free-wp-mail-smtp") AND (POST OR PUT)