First published: Tue Feb 18 2025(Updated: )
The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
Post SMTP | <=3.0.2 | |
Wpexperts Post SMTP | <3.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2025-0521 is classified as a high severity vulnerability due to its potential for Stored Cross-Site Scripting.
To fix CVE-2025-0521, update the Post SMTP plugin to the latest version beyond 3.0.2.
CVE-2025-0521 affects all versions of the Post SMTP plugin for WordPress up to and including version 3.0.2.
CVE-2025-0521 is a Stored Cross-Site Scripting vulnerability resulting from insufficient input sanitization and output escaping.
No, CVE-2025-0521 can be exploited by unauthenticated attackers, making it particularly dangerous.