{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0521", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-16T17:53:46.524Z", "datePublished": "2025-02-18T11:10:18.504Z", "dateUpdated": "2026-04-08T16:46:08.793Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:08.793Z"}, "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Post SMTP <= 3.0.2 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/366dfbf1-870c-4ce3-abc4-a2b2f4e72175?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3237626%40post-smtp%2Ftrunk&old=3229076%40post-smtp%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "timeline": [{"time": "2025-02-17T22:24:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-18T14:26:02.492087Z", "id": "CVE-2025-0521", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-18T14:26:27.507Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0521", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-18T14:26:02.492087Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-18T14:26:19.284Z"}}], "cna": {"title": "Post SMTP <= 3.0.2 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "D.Sim"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-17T22:24:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/366dfbf1-870c-4ce3-abc4-a2b2f4e72175?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3237626%40post-smtp%2Ftrunk&old=3229076%40post-smtp%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:08.793Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0521", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:08.793Z", "dateReserved": "2025-01-16T17:53:46.524Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-18T11:10:18.504Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpexperts:post_smtp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6CFC5EE8-9980-4893-A6AB-882EBC8509D1", "versionEndExcluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Post SMTP para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s del par\u00e1metro from y subject en todas las versiones hasta 3.0.2 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida. Esto hace posible que los atacantes no autenticados inyecten una web arbitraria scripts en p\u00e1ginas que se ejecutar\u00e1n siempre que un usuario acceda a una p\u00e1gina inyectada. "}], "id": "CVE-2025-0521", "lastModified": "2025-02-21T12:16:09.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-18T11:15:12.740", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3237626%40post-smtp%2Ftrunk&old=3229076%40post-smtp%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/366dfbf1-870c-4ce3-abc4-a2b2f4e72175?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:28:28.645774+00:00", "value": {"mitigation_remediation": ["Upgrade Post SMTP to the latest release (v3.0.3 or newer)", "Remove any email entries that contain injected script content in the database", "Apply a web application firewall or enforce a strict content security policy to block execution of unexpected scripts until the plugin is patched"], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting allowing unauthenticated arbitrary script execution"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress plugin \"Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App\" with versions 3.0.2 and earlier are affected. These releases are identified by the CPE \"cpe:2.3:a:wpexperts:post_smtp:*:*:*:*:*:wordpress:*:*\". Any WordPress site running the plugin within these vulnerable versions is at risk.", "description_and_impact": "The Post SMTP plugin for WordPress is vulnerable to a stored cross\u2011site scripting flaw in all versions up to and including 3.0.2. The vulnerability stems from insufficient input sanitization and output escaping of the \"from\" and \"subject\" parameters, permitting an attacker to inject malicious scripts that are then saved to the database. When a user later loads a page that displays the stored email data, the injected scripts run in the user\u2019s browser, potentially enabling credential theft, session hijacking, website defacement, or further compromise of the site. This weakness is classified as CWE\u201179 and represents a high\u2011impact flaw because it is exploitable by unauthenticated users without the need to compromise the WordPress administrator account.", "risk_and_exploitability": "The vulnerability has a CVSS score of 7.2, indicating moderate to high severity. The EPSS score of less than 1% suggests that, as of the time of analysis, the probability of exploitation is low but not negligible, and there is no indication that the flaw has been observed in the wild (flagged in CISA\u2019s KEV catalog). Attackers can exploit the flaw simply by embedding a malicious script into the \"from\" or \"subject\" fields of an email processed by the plugin, which does not require authentication. The injected code will execute every time a user views the corresponding page, which makes this a persistent threat until mitigated."}}}}, "created": "2026-04-22T13:30:17.930858+00:00", "updated": "2026-04-22T13:30:17.930870+00:00", "vendors": []}