CVE-2025-22753

High

Published: 15 January 2025

Published

15 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0010 27.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in turboSMTP turboSMTP turbosmtp allows Reflected XSS.This issue affects turboSMTP: from n/a through <= 4.6.

Security Summary

CVE-2025-22753 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the turboSMTP WordPress plugin. The issue impacts all versions of turboSMTP from n/a through 4.6 inclusive and was published on 2025-01-15.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no privileges required, but user interaction needed, and a changed scope. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with maliciously crafted links or inputs reflected in web pages generated by the plugin, enabling arbitrary script execution in the victim's browser context with low impacts to confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/turbosmtp/vulnerability/wordpress-turbosmtp-plugin-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-79

References

https://patchstack.com/database/Wordpress/Plugin/turbosmtp/vulnerability/wordpress-turbosmtp-plugin-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
audit@patchstack.com