CVE-2025-58800

Vulnerability

Overview

The WP Email Template plugin for WordPress (versions up to and including 2.8.5) contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw arises from insufficient validation of requests made to the plugin's by authenticated users, allowing an attacker to trick a privileged user into unknowingly performing actions on the attacker's behalf [1].

Exploitation

Details

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a specially designed form while authenticated to the WordPress site [1]. No direct authentication is needed for the attacker, but the victim must have sufficient privileges (e.g., admin or editor) for the attack to succeed [1]. The attack can be initiated remotely without any special network access [1].

Impact

Successful exploitation could allow an attacker to force the victim to execute unwanted actions under their current session, such as changing settings, creating new admin accounts, or modifying email templates [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has not released a patched version at the time of this writing of this analysis; users are advised to update the plugin as soon as a fix becomes available [1]. As an immediate workaround, users can ask their hosting provider or web host or developer for assistance, or consider disabling the plugin until a patch is applied [1].