CVE-2025-57992

Cross-Site Request Forgery (CSRF) vulnerability exists in the InterServer Mail Baby SMTP plugin for WordPress, affecting versions from n/a through 2.8. This security issue allows a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. The vulnerability has a CVSS score of 4.3, indicating medium severity, and is considered to have a low severity impact and is unlikely to be exploited according to the advisory [1].

Attack

Vector Exploitation requires user interaction — a privileged user must perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form. The attacker can initiate the CSRF attack without authentication, but successful exploitation depends on tricking an authenticated user into performing the unintended action. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of traffic or popularity [1].

Impact

If successfully exploited, an attacker could force an authenticated administrator or other privileged user to execute unwanted actions within the plugin's context, potentially leading to configuration changes or other unauthorized operations under the victim's session.

Mitigation

The vulnerability is patched in version 3.2.12 of the Mail Baby SMTP plugin. Users are advised to update immediately. For those unable to update, consulting with a hosting provider or web developer is recommended. Patchstack users can enable auto-update for vulnerable plugins [1].