CVE-2026-8174
Description
Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF).
This issue affects Zoho Mail wordpress plugin versions before 1.6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zoho Mail WordPress plugin versions before 1.6.2 are vulnerable to CSRF, allowing attackers to perform unauthorized actions on behalf of an authenticated admin.
Vulnerability
The Zoho Mail WordPress plugin versions before 1.6.2 are vulnerable to Cross-Site Request Forgery (CSRF) [1]. This flaw allows an attacker to trick an authenticated administrator into unknowingly executing unwanted actions on the plugin's settings or configuration pages.
Exploitation
Exploitation requires an authenticated administrator to visit a malicious page or click a crafted link while logged into WordPress. The attacker can forge requests to change plugin settings, such as the Zoho Mail API credentials or email configuration, without the administrator's consent. No additional authentication or network position is required beyond the victim's session.
Impact
Successful CSRF exploitation can lead to unauthorized modification of the plugin's configuration, potentially redirecting outgoing emails to an attacker-controlled account or disrupting email delivery. This compromises the integrity and confidentiality of email communications from the WordPress site.
Mitigation
The vulnerability is fixed in version 1.6.2 of the Zoho Mail WordPress plugin [1]. Users should update to this version or later. No workarounds are documented in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <1.6.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.