Description
Cross-Site Request Forgery (CSRF) vulnerability in cstoltenkamp Free MailClient FMC mailclient allows Stored XSS.This issue affects Free MailClient FMC: from n/a through <= 1.0.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery (CSRF) flaw that allows an attacker to trigger the plugin to store arbitrary JavaScript code in the WordPress site. Once the code is stored, regular visitors to the site can be subjected to a Stored XSS attack, enabling the attacker to execute malicious scripts in the context of the user’s browser. This can lead to session hijacking, credential theft, or other client‑side exploits.

Affected Systems

Free MailClient FMC plugin for WordPress, released by cstoltenkamp, is affected in all versions through 1.0. Users running this plugin on their sites should check whether they are using a vulnerable version and consider upgrading if a newer release exists.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high severity, indicating significant potential damage. The EPSS score of less than 1% suggests that, as of the latest measurement, the likelihood of a real‑world exploit is low. The vulnerability is not listed in the CISA KEV catalog, which means known exploits are not publicly documented. Based on the description, the likely attack vector is a web‑based CSRF request that an attacker can craft to inject the malicious code, which then becomes stored in the site’s database and delivered to unsuspecting users.

Generated by OpenCVE AI on May 2, 2026 at 06:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Free MailClient FMC to a version later than 1.0 if available; if no update is available, disable or uninstall the plugin.
  • Implement CSRF protection for the plugin by validating a nonce token or checking the referer on all state‑changing requests, and restrict plugin usage to trusted administrators only.
  • Apply site‑wide security measures, such as a web application firewall that blocks stored XSS payloads and keep WordPress core and other plugins updated.

Generated by OpenCVE AI on May 2, 2026 at 06:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3359 Cross-Site Request Forgery (CSRF) vulnerability in CS : ABS-Hosting.nl / Walchum.net Free MailClient FMC allows Stored XSS.This issue affects Free MailClient FMC: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CS : ABS-Hosting.nl / Walchum.net Free MailClient FMC allows Stored XSS.This issue affects Free MailClient FMC: from n/a through 1.0. Cross-Site Request Forgery (CSRF) vulnerability in cstoltenkamp Free MailClient FMC mailclient allows Stored XSS.This issue affects Free MailClient FMC: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in CS : ABS-Hosting.nl / Walchum.net Free MailClient FMC allows Stored XSS.This issue affects Free MailClient FMC: from n/a through 1.0.
Title WordPress Free MailClient FMC plugin <= 1.0 - CSRF to Stored XSS vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:17.891Z

Reserved: 2025-01-16T11:28:31.296Z

Link: CVE-2025-23703

cve-icon Vulnrichment

Updated: 2025-01-17T17:19:25.171Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:45.350

Modified: 2026-06-17T08:56:31.437

Link: CVE-2025-23703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:15:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)