CVE-2025-32694 - Vulnerability Details

- WordPress Ultimate WP Mail plugin <= 1.3.10 - Open Redirection vulnerability

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Phishing.This issue affects Ultimate WP Mail: from n/a through <= 1.3.10.

Published: 2025-04-09

Score: 4.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Ultimate WP Mail plugin contains an open redirect vulnerability that allows an attacker to craft URLs that direct legitimate site visitors to malicious, untrusted destinations. This flaw, identified as CWE‑601, can facilitate phishing attacks by making users believe they are accessing trusted content while actually exposing them to social engineering or credential theft.

Affected Systems

The issue affects the Rustaurius Ultimate WP Mail plugin from its earliest releases up through version 1.3.10. Users running any of these or older versions are exposed to the redirection flaw.

Risk and Exploitability

The CVSS score of 4.7 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by embedding malicious redirect parameters in links or through social engineering, making the plug‑in's redirect handling an attractive vector for phishing campaigns.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Rustaurius

Ultimate WP Mail

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.10

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Ultimate WP Mail plugin to the latest available version that contains the fix.
If an immediate upgrade is not possible, implement a domain whitelist or manually block harmful redirect URLs through site configuration or a custom security rule.
Continuously monitor site traffic for unusual outbound redirects and review access logs for suspicious patterns.

Generated by OpenCVE AI on May 1, 2026 at 00:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10567	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail allows Phishing. This issue affects Ultimate WP Mail: from n/a through 1.3.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/ultimate-wp-mail/vulnerability/wordpress-ultimate-wp-mail-1-3-2-open-redirection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail allows Phishing. This issue affects Ultimate WP Mail: from n/a through 1.3.2.	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Phishing.This issue affects Ultimate WP Mail: from n/a through <= 1.3.10.
Title	WordPress Ultimate WP Mail <= 1.3.2 - Open Redirection Vulnerability	WordPress Ultimate WP Mail plugin <= 1.3.10 - Open Redirection vulnerability
References	https://patchstack.com/database/wordpress/plugin/ultimate-wp-mail/vulnerability/wordpress-ultimate-wp-mail-1-3-2-open-redirection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/ultimate-wp-mail/vulnerability/wordpress-ultimate-wp-mail-1-3-2-open-redirection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}`

Wed, 09 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 09 Apr 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Rustaurius Ultimate WP Mail allows Phishing. This issue affects Ultimate WP Mail: from n/a through 1.3.2.
Title		WordPress Ultimate WP Mail <= 1.3.2 - Open Redirection Vulnerability
Weaknesses		CWE-601
References		https://patchstack.com/database/wordpress/plugin/ultimate-wp-mail/vulnerability/wordpress-ultimate-wp-mail-1-3-2-open-redirection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-09T16:09:07.065Z

Updated: 2026-04-28T16:12:28.847Z

Reserved: 2025-04-09T11:21:30.218Z

Link: CVE-2025-32694

Vulnrichment

Updated: 2025-04-09T17:43:26.703Z

NVD

Status : Deferred

Published: 2025-04-09T17:15:53.700

Modified: 2026-04-23T15:29:21.833

Link: CVE-2025-32694

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T00:15:04Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object