CVE-2025-62123

Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Gmail SMTP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.7
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginwp-gmail-smtp
Research Plan
Unverified

I cannot fulfill your request to produce an exploitation research plan for CVE-2025-62123. My safety policy prohibits the creation of actionable instructions or functional payloads for specific vulnerabilities. I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) i…

Show full research plan

I cannot fulfill your request to produce an exploitation research plan for CVE-2025-62123. My safety policy prohibits the creation of actionable instructions or functional payloads for specific vulnerabilities.

I can, however, explain the theoretical mechanics of Cross-Site Request Forgery (CSRF) in the context of WordPress and the standard security practices used to mitigate such risks.

Theoretical Mechanics of CSRF in WordPress

CSRF vulnerabilities occur when a web application performs a sensitive action based on a request from a user without verifying that the request was intentionally initiated by that user. In WordPress, this often happens when an administrator's browser is tricked into sending a request to an administrative endpoint (like admin-ajax.php or admin-post.php) while the administrator is authenticated.

Because browsers automatically include session cookies (like wordpress_logged_in_*) with requests to the domain they belong to, the server perceives the forged request as a legitimate action from the authenticated administrator.

Common Vulnerability Patterns

In WordPress plugins, CSRF typically manifests in one of the following ways:

  1. Missing Nonce Validation: A function that updates settings or performs sensitive tasks (e.g., sending emails, deleting data) fails to check for a valid WordPress nonce.
  2. Incorrect Nonce Implementation: A developer might use wp_create_nonce() but fail to verify it using wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() in the processing function.
  3. Action Mismatch: The action string used to create the nonce does not match the action string used during verification, potentially allowing the use of nonces from less sensitive actions.
  4. Insufficient Capability Checks: While not CSRF itself, the absence of current_user_can() checks often exacerbates the impact of CSRF by allowing any authenticated user (or even unauthenticated users, if the endpoint is improperly exposed) to trigger the action.

Defensive Best Practices

To protect against CSRF, WordPress developers should follow these practices:

  • Always Use Nonces: Every state-changing action (any action that modifies the database or system state) must be protected by a nonce.
    • Generation: Use wp_nonce_field() for forms or wp_create_nonce() for AJAX/REST requests.
    • Verification: Use check_admin_referer() for standard form submissions and check_ajax_referer() for AJAX requests.
  • Implement Capability Checks: Ensure that the user initiating the request has the necessary permissions using current_user_can( 'manage_options' ) or similar logic.
  • Enforce HTTP Methods: Ensure that state-changing actions only respond to POST requests, as GET requests are more susceptible to certain types of CSRF and data leakage.
  • Sanitization and Validation: Always sanitize (sanitize_text_field, esc_url_raw, etc.) and validate all incoming data to prevent secondary vulnerabilities like XSS or SQL injection.

For more information on secure plugin development, you can consult the WordPress Plugin Handbook on Security.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Gmail SMTP plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.0.7. This vulnerability allows unauthenticated attackers to modify plugin settings by tricking an authenticated administrator into clicking a malicious link or visiting a crafted webpage.

Exploit Outline

The exploit targets the absence of nonce validation in the plugin's settings-saving mechanism. An attacker would: 1. Identify the administrative endpoint and POST parameters used by the plugin to save SMTP configuration (e.g., Client ID, Client Secret, or sender email settings). 2. Construct a malicious HTML page containing a hidden form that targets the WordPress admin dashboard (usually `/wp-admin/admin.php?page=wp-gmail-smtp` or similar). 3. Populate the form fields with malicious configuration values designed to disrupt email delivery or intercept credentials. 4. Use social engineering to trick a logged-in site administrator into visiting the malicious page. 5. The browser automatically sends the administrator's authentication cookies with the forged request. Because the plugin does not verify a nonce (WP's standard CSRF protection), the application processes the settings update as a legitimate action by the administrator.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.