Description
The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.
Published: 2025-02-24
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open redirect to external sites
Action: Upgrade Plugin
AI Analysis

Impact

The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress allows a directed redirect through the redirect_to parameter without validating its target. An attacker can supply an arbitrary URL, causing users who visit the site and click a manipulated link or submit a form to be forwarded to a malicious domain. This flaw can be used for phishing, credential harvesting, and to deliver further malicious content. The weakness is classified as CWE-601.

Affected Systems

All WordPress sites that have the WPO365 | MICROSOFT 365 GRAPH MAILER plugin installed, activated, and using the redirect_to functionality in any version up to and including 3.2 are affected. Sites that have upgraded beyond 3.2, disabled the plugin, or turned off redirect handling are not impacted.

Risk and Exploitability

The base CVSS score of 4.7 indicates moderate severity, reflecting the need for user interaction and for the plugin to be active. The EPSS score of less than 1% suggests exploitation is unlikely to be widespread. The vulnerability is not yet listed in CISA KEV, implying low current exploitation. Based on the description, the likely attack vector is an attacker crafting a link or form that includes a malicious redirect_to URL; when a visitor clicks or submits, they are redirected to an attacker-controlled site. This requires unauthenticated access to the site but no special privileges. The overall risk to a site depends on how critical the redirect functionality is to its normal operation.

Generated by OpenCVE AI on April 22, 2026 at 02:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPO365 | MICROSOFT 365 GRAPH MAILER plugin to version 3.3 or newer, which eliminates the vulnerable redirect handling.
  • If an immediate upgrade is not possible, disable the redirect_to functionality or remove any custom code that passes this parameter through to the browser, ensuring the parameter is ignored or fully sanitized.
  • Deploy a web‑application firewall rule or plugin that blocks outbound redirects to domains not in a predefined whitelist, mitigating the impact of the open redirect even if the plugin remains vulnerable.

Generated by OpenCVE AI on April 22, 2026 at 02:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4372 The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.
History

Thu, 27 Mar 2025 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:*:wpo365:microsoft_365_graph_mailer:*:*:*:*:*:*:*:* cpe:2.3:a:wpo365:microsoft_365_graph_mailer:*:*:*:*:*:*:*:*

Tue, 25 Mar 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpo365
Wpo365 microsoft 365 Graph Mailer
CPEs cpe:2.3:*:wpo365:microsoft_365_graph_mailer:*:*:*:*:*:*:*:*
Vendors & Products Wpo365
Wpo365 microsoft 365 Graph Mailer

Mon, 24 Feb 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 11:15:00 +0000

Type Values Removed Values Added
Description The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.
Title WPO365 | MICROSOFT 365 GRAPH MAILER <= 3.2 - Open Redirect via 'redirect_to' Parameter
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wpo365 Microsoft 365 Graph Mailer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:46:57.099Z

Reserved: 2025-02-19T21:57:31.462Z

Link: CVE-2025-1488

cve-icon Vulnrichment

Updated: 2025-02-24T12:47:04.696Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-24T11:15:10.193

Modified: 2025-03-27T00:25:37.117

Link: CVE-2025-1488

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses