CVE-2025-23703

High

Published: 16 January 2025

Published

16 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS Score 0.0013 31.3th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Cross-Site Request Forgery (CSRF) vulnerability in cstoltenkamp Free MailClient FMC mailclient allows Stored XSS.This issue affects Free MailClient FMC: from n/a through <= 1.0.

Security Summary

CVE-2025-23703 is a Cross-Site Request Forgery (CSRF) vulnerability in the Free MailClient FMC WordPress plugin by cstoltenkamp that allows Stored XSS. The issue affects the plugin from unknown initial versions through 1.0 inclusive, as documented under CWE-352.

The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating exploitation over the network with low complexity, no required privileges, and user interaction. An unauthenticated attacker can trick an authenticated user into submitting a malicious request via a crafted webpage, resulting in the storage of XSS payloads that execute with changed scope and low impacts on confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mailclient/vulnerability/wordpress-free-mailclient-fmc-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.

Details

CWE(s): CWE-352

References

https://patchstack.com/database/Wordpress/Plugin/mailclient/vulnerability/wordpress-free-mailclient-fmc-plugin-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve
audit@patchstack.com