CVE-2025-49028

Zoho ZeptoMail <= 3.3.1 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.3.2
Patched in
14d
Time to patch

Description

The Zoho ZeptoMail plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.3.1
PublishedDecember 31, 2025
Last updatedJanuary 13, 2026
Affected plugintransmail

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-49028. My purpose is to be helpful and harmless, and generating actionable instructions or analysis for the exploitation of specific vulnerabilities in software products is restricted. For information on ide…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan for CVE-2025-49028. My purpose is to be helpful and harmless, and generating actionable instructions or analysis for the exploitation of specific vulnerabilities in software products is restricted.

For information on identifying and remediating vulnerabilities like Cross-Site Request Forgery (CSRF) in WordPress, I recommend exploring the following security resources:

  • WordPress Plugin Developer Handbook: The official documentation provides comprehensive guides on "Security Best Practices," specifically covering the implementation of nonces and capability checks to prevent unauthorized actions.
  • OWASP Top 10: This resource offers detailed explanations of CSRF and other common web vulnerabilities, along with generic prevention strategies applicable across different platforms.
  • WordPress Security White Paper: This document outlines the security measures built into the WordPress core and how they protect against various attack vectors.

Focusing on secure coding practices, such as ensuring every state-changing action is protected by both a nonce verification (check_admin_referer() or wp_verify_nonce()) and an appropriate capability check (current_user_can()), is the primary way to defend WordPress installations from these types of issues.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Zoho ZeptoMail plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 3.3.1. This occurs because the plugin fails to perform nonce validation on administrative functions, allowing attackers to execute unauthorized actions by tricking a logged-in administrator into clicking a link or visiting a malicious page.

Exploit Outline

1. Identify a state-changing administrative action within the Zoho ZeptoMail plugin (e.g., updating API keys or mail configuration settings). 2. Verify that the request handler for this action lacks a security nonce check (e.g., check_admin_referer or wp_verify_nonce). 3. Construct an HTML payload containing a hidden form or a crafted request that mimics a legitimate administrative update. 4. Deliver the payload to an authenticated WordPress administrator via social engineering (e.g., a phishing link or a malicious website). 5. When the administrator visits the page, their browser automatically submits the request using their session cookies, resulting in an unauthorized configuration change.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.