Unrated severityNVD Advisory· Published May 23, 2014· Updated May 6, 2026

CVE-2013-2107

Description

Cross-site request forgery (CSRF) vulnerability in the Mail On Update plugin before 5.2.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change the "List of alternative recipients" via the mailonupdate_mailto parameter in the mail-on-update page to wp-admin/options-general.php. NOTE: a third party claims that 5.2.1 and 5.2.2 are also vulnerable, but the issue might require a separate CVE identifier since this might reflect an incomplete fix.

Affected products

Mail On Update Project/Mail On Update2 versions
cpe:2.3:a:mail_on_update_project:mail_on_update:5.0.0:*:*:*:*:wordpress:*:*+ 1 more
- cpe:2.3:a:mail_on_update_project:mail_on_update:5.0.0:*:*:*:*:wordpress:*:*
- cpe:2.3:a:mail_on_update_project:mail_on_update:*:*:*:*:*:wordpress:*:*range: <=5.1.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wordpress.org/plugins/mail-on-update/changelognvdPatchVendor Advisory
seclists.org/oss-sec/2013/q2/356nvdExploit
osvdb.org/93452nvd
secunia.com/advisories/53449nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000