CVE-2025-0521
Published: 18 February 2025
Description
The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Security Summary
CVE-2025-0521 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Post SMTP plugin for WordPress. It affects all versions up to and including 3.0.2 due to insufficient input sanitization and output escaping of the "from" and "subject" parameters. This flaw enables the injection of arbitrary web scripts into pages, which was publicly disclosed on 2025-02-18 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity and no privileges or user interaction required. By submitting malicious payloads via the affected parameters, they can store scripts on the site that execute in the context of any user's browser when accessing the injected page, potentially leading to session hijacking, data theft, or further site compromise given the changed scope in the CVSS vector.
Mitigation details are available in advisories from Wordfence and the WordPress plugin trac repository. The plugin's trunk saw a relevant changeset from revision 3229076 to 3237626, indicating a patch that addresses the sanitization issues in versions beyond 3.0.2. Security practitioners should urge WordPress site owners to update the Post SMTP plugin immediately.
Details
- CWE(s)