CVE-2025-28974: Free WP Mail SMTP CSRF Vulnerability

CVE-2025-28974 Overview

CVE-2025-28974 is a Cross-Site Request Forgery (CSRF) vulnerability in the Free WP Mail SMTP WordPress plugin by mail250 that enables attackers to perform Stored Cross-Site Scripting (XSS) attacks. This chained vulnerability allows unauthenticated attackers to trick authenticated administrators into executing malicious actions, ultimately injecting persistent malicious scripts into the WordPress site.

Critical Impact

Attackers can leverage CSRF to inject stored XSS payloads, potentially compromising administrator accounts, stealing session cookies, defacing websites, or distributing malware to site visitors.

Affected Products

• Free WP Mail SMTP WordPress Plugin version 1.0 and earlier
• WordPress installations using the vulnerable Free WP Mail SMTP plugin
• Sites with administrator users who may interact with malicious links

Discovery Timeline

• 2025-06-06 - CVE-2025-28974 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-28974

Vulnerability Analysis

This vulnerability combines two attack vectors: Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS). The Free WP Mail SMTP plugin lacks proper CSRF token validation on sensitive administrative endpoints, allowing attackers to craft malicious requests that authenticated administrators unknowingly execute. When successful, this CSRF weakness enables the injection of malicious JavaScript code that gets persistently stored in the WordPress database.

The network-based attack vector requires user interaction, typically through social engineering tactics where administrators are tricked into clicking malicious links or visiting attacker-controlled pages while authenticated to their WordPress dashboard. The scope is changed, meaning the vulnerability can impact resources beyond the vulnerable component itself—affecting site visitors who encounter the stored XSS payload.

Root Cause

The root cause of this vulnerability is the absence of proper CSRF protection mechanisms (such as nonce verification) in the plugin's administrative form handlers. WordPress provides built-in functions like wp_nonce_field() and wp_verify_nonce() for CSRF protection, but the Free WP Mail SMTP plugin fails to implement these security controls. Additionally, insufficient input sanitization and output encoding allows malicious scripts to be stored and rendered without proper escaping.

Attack Vector

The attack unfolds in multiple stages. First, an attacker crafts a malicious HTML page or link containing a forged request targeting the vulnerable plugin endpoint. When an authenticated WordPress administrator visits this malicious page, their browser automatically sends the forged request along with their valid session cookies. The plugin processes this request without verifying its legitimacy, storing the attacker's XSS payload in the database. Subsequently, when any user (including administrators or site visitors) views a page that renders the stored malicious content, the XSS payload executes in their browser context.

This attack can lead to session hijacking, administrative account takeover, website defacement, redirection to phishing sites, or the distribution of malware to unsuspecting visitors.

Detection Methods for CVE-2025-28974

Indicators of Compromise

• Unexpected or unauthorized changes to Free WP Mail SMTP plugin settings
• Suspicious JavaScript code snippets in plugin configuration fields or database entries
• Unusual outbound requests from client browsers to unknown external domains
• Administrator reports of strange behavior after clicking external links

Detection Strategies

• Review WordPress database tables associated with the Free WP Mail SMTP plugin for suspicious script tags or encoded JavaScript
• Monitor web server access logs for unusual POST requests to plugin administrative endpoints without valid referer headers
• Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
• Deploy web application firewalls (WAF) with rules to detect CSRF and XSS attack patterns

Monitoring Recommendations

• Enable WordPress audit logging to track configuration changes to the Free WP Mail SMTP plugin
• Configure browser-based XSS detection alerts through CSP violation reporting
• Regularly scan WordPress installations using security plugins that identify stored XSS vulnerabilities
• Monitor for anomalous administrator session activity that may indicate account compromise

How to Mitigate CVE-2025-28974

Immediate Actions Required

• Deactivate and remove the Free WP Mail SMTP plugin (free-wp-mail-smtp) immediately if running version 1.0 or earlier
• Review and clean any suspicious entries in the plugin's stored settings and associated database tables
• Rotate administrator passwords and invalidate existing sessions for all WordPress users
• Audit your WordPress installation for signs of compromise or injected malicious scripts

Patch Information

As of the published CVE data, the vulnerability affects Free WP Mail SMTP version 1.0 and earlier. Site administrators should check the WordPress plugin repository for updated versions that address this security issue. If no patched version is available, consider migrating to an alternative SMTP plugin with an established security track record. For detailed vulnerability information, refer to the Patchstack Vulnerability Report.

Workarounds

• Implement a Web Application Firewall (WAF) with CSRF and XSS protection rules
• Restrict administrative access to trusted IP addresses only using .htaccess or firewall rules
• Add custom CSRF validation to the plugin's form handlers if technically feasible
• Educate administrators about the risks of clicking links from untrusted sources while logged into WordPress

# Disable the vulnerable plugin via WP-CLI
wp plugin deactivate free-wp-mail-smtp

# Remove the plugin entirely
wp plugin delete free-wp-mail-smtp

# Search database for potential XSS payloads
wp db search "<script" --all-tables