Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24739

CVE-2025-24739: FluentSMTP CSRF Vulnerability

CVE-2025-24739 is a Cross-Site Request Forgery flaw in FluentSMTP plugin that enables attackers to perform unauthorized actions on behalf of authenticated users. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-24739 Overview

CVE-2025-24739 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the FluentSMTP plugin for WordPress, developed by Shahjahan Jewel. The flaw exists in all versions up to and including 2.2.80. The issue is tracked under CWE-352: Cross-Site Request Forgery.

An attacker can craft a malicious request that, when triggered by an authenticated administrator visiting a controlled page, performs unauthorized actions within the FluentSMTP plugin. Exploitation requires user interaction, which limits attack scope but does not eliminate risk in phishing scenarios.

Critical Impact

Successful exploitation permits an unauthenticated attacker to trigger administrative state changes in FluentSMTP by luring a logged-in WordPress administrator to a malicious page.

Affected Products

  • Shahjahan Jewel FluentSMTP plugin for WordPress
  • FluentSMTP versions from n/a through <= 2.2.80
  • WordPress sites using the fluent-smtp plugin for outbound email routing

Discovery Timeline

  • 2025-01-24 - CVE-2025-24739 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-24739

Vulnerability Analysis

The vulnerability stems from missing or insufficient CSRF protection in the FluentSMTP plugin's request handling. WordPress provides a nonce mechanism to validate the origin of state-changing requests. When plugin endpoints do not verify these tokens correctly, browsers can be tricked into submitting authenticated requests on behalf of a user.

An attacker hosts a malicious page containing a forged form or script targeting a FluentSMTP administrative endpoint. When a logged-in administrator visits the page, the browser automatically attaches session cookies to the request. The plugin processes the action as legitimate because the session is valid.

The impact is limited to integrity of plugin configuration. Confidentiality and availability metrics are not affected under the scored vector. FluentSMTP manages SMTP transport settings, so modification of these settings could redirect outbound mail through attacker-controlled infrastructure.

The EPSS probability is 0.188%, reflecting low observed exploitation activity at the time of scoring.

Root Cause

The root cause is missing anti-CSRF token validation on one or more request handlers within the fluent-smtp plugin. Without a verified nonce or referrer check, the server accepts cross-origin requests that carry a valid authentication cookie. This condition maps directly to [CWE-352].

Attack Vector

The attack vector is network-based with required user interaction. An attacker delivers a crafted link, embedded image, or auto-submitting form through phishing, a compromised site, or a comment field. When an authenticated WordPress administrator loads the payload, the browser issues the forged request to the vulnerable FluentSMTP endpoint.

Since no verified proof-of-concept code is published in the referenced advisory, the mechanism is described in prose. Additional technical detail is available in the Patchstack Fluent SMTP CSRF Vulnerability advisory.

Detection Methods for CVE-2025-24739

Indicators of Compromise

  • Unexpected changes to FluentSMTP connection settings, including SMTP host, port, or credentials
  • Outbound email traffic routed through unfamiliar SMTP relays
  • WordPress audit log entries showing FluentSMTP configuration changes originating from external referrers
  • Administrator sessions preceded by clicks on external links to unknown domains

Detection Strategies

  • Enable WordPress activity logging plugins to capture configuration changes tied to fluent-smtp options
  • Monitor web server access logs for POST requests to FluentSMTP admin endpoints with Referer headers pointing to third-party domains
  • Alert on modifications to WordPress options table rows containing fluentsmtp_settings or similar keys
  • Correlate administrator authentication events with subsequent plugin setting changes to identify suspicious sequences

Monitoring Recommendations

  • Track outbound SMTP destinations at the network egress layer and flag new relays
  • Baseline the list of configured SMTP connections in FluentSMTP and alert on drift
  • Review email headers on outbound mail for unexpected X-Mailer or transport signatures indicating a rerouted relay

How to Mitigate CVE-2025-24739

Immediate Actions Required

  • Update the FluentSMTP plugin to a version later than 2.2.80 as soon as a patched release is available from the vendor
  • Review current FluentSMTP connection settings and verify SMTP hosts, credentials, and default senders match approved values
  • Rotate any SMTP credentials stored in FluentSMTP if unauthorized configuration changes are suspected
  • Require administrators to log out of WordPress before browsing untrusted content

Patch Information

The vulnerability affects FluentSMTP through version 2.2.80. Site operators should consult the Patchstack advisory for the current patched release and upgrade through the WordPress plugin manager or by replacing plugin files directly.

Workarounds

  • Restrict WordPress administrator accounts to dedicated browsers or sessions used only for site management
  • Deploy a web application firewall rule that validates the Referer and Origin headers on requests to /wp-admin/ FluentSMTP endpoints
  • Temporarily disable the FluentSMTP plugin on high-value sites until the patched version is deployed
  • Enforce two-factor authentication on all WordPress administrator accounts to raise the cost of session abuse
bash
# Example WAF rule concept: block cross-origin POSTs to FluentSMTP admin endpoints
SecRule REQUEST_URI "@contains /wp-admin/admin.php" \
  "chain,deny,status:403,id:1024739,msg:'CVE-2025-24739 FluentSMTP CSRF block'"
  SecRule ARGS:page "@streq fluent-mail" \
    "chain"
    SecRule REQUEST_HEADERS:Referer "!@beginsWith https://your-site.example/" "t:none"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.