CVE-2025-47466

Vulnerability

Overview The Ultimate WP Mail plugin for WordPress versions up to and including 1.3.4 is vulnerable to Cross-Site Request Forgery (CSRF). This vulnerability arises from missing or insufficient CSRF protection mechanisms in the plugin, allowing an attacker to trick authenticated users into performing unintended actions [1].

Exploitation

Method To exploit the CSRF vulnerability, an attacker must craft a malicious link or web page that, when visited by a privileged user (such as an administrator), triggers an unwanted action within the plugin. The attacker does not need any special privileges but requires the victim to be logged into their WordPress site while interacting with the malicious content [1].

Impact

Successful exploitation could enable an attacker to perform actions on behalf of the victim, such as modifying plugin settings or executing other operations that the victim is authorized to perform. This could lead to partial compromise of the site's functionality or data integrity [1].

Mitigation

The vulnerability has been addressed in version 1.3.5 of the Ultimate WP Mail plugin. Users are strongly advised to update to this version or later to eliminate the risk. Patchstack users can enable auto-updates for the plugin to ensure ongoing protection [1].