CVE-2025-28974
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the Free WP Mail SMTP WordPress plugin (up to version 1.0) that allows an attacker to trick authenticated users with higher privileges into performing unwanted actions. These actions can lead to stored Cross-Site Scripting (XSS) attacks, where malicious scripts are saved and executed in the context of the affected site. The vulnerability is related to broken access control and does not require authentication to exploit. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute malicious scripts within the context of the affected website by tricking privileged users into performing unintended actions. This can lead to data theft, session hijacking, or other malicious activities impacting the confidentiality, integrity, and availability of the website and its data. However, it is considered low severity and unlikely to be exploited, and no official patch is currently available. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for signs of Cross-Site Request Forgery (CSRF) attempts and stored Cross-Site Scripting (XSS) attacks related to the Free WP Mail SMTP plugin version 1.0 or earlier. Since no official patch or signature-based detection is available, users are advised to perform server-side malware scanning or engage professional incident response services. Plugin-based malware scanners may be unreliable. Specific commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) provided by Patchstack, which offers automatic protection even without an official fix. Users should also consider disabling or removing the vulnerable Free WP Mail SMTP plugin version 1.0 or earlier until a patch is available. Monitoring for suspicious activity and seeking professional incident response if compromise is suspected are recommended. [1]