CVE-2026-8174
BaseFortify
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: ManageEngine
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoho | zoho_mail | to 1.6.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Zoho Mail WordPress plugin is a Cross-Site Request Forgery (CSRF) issue. This means that an attacker could trick a logged-in user into performing unwanted actions on the plugin without their consent.
Specifically, versions of the Zoho Mail WordPress plugin before 1.6.2 are affected by this vulnerability.
How can this vulnerability impact me? :
Because this is a CSRF vulnerability, an attacker could potentially cause a user to unknowingly execute actions within the Zoho Mail plugin on their WordPress site.
According to the CVSS score (5.7), the impact is moderate with a high impact on integrity but no impact on confidentiality or availability.
This could lead to unauthorized changes or actions within the plugin, potentially affecting email sending configurations or behavior.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the Cross-Site Request Forgery (CSRF) vulnerability in the Zoho Mail WordPress plugin, you should update the plugin to version 1.6.2 or later, as this version addresses the security issue.