Description
Cross-Site Request Forgery (CSRF) vulnerability in InterServer Mail Baby SMTP mail-baby-smtp allows Cross Site Request Forgery.This issue affects Mail Baby SMTP: from n/a through <= 2.8.
Published: 2025-09-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that allows an attacker to craft a request that the victim’s browser will submit to the Mail Baby SMTP plugin as if performed by a legitimate user. The flaw arises because the plugin does not verify the identity or intent of the request source, permitting unauthorized operations e.g., sending emails or modifying configuration. The weakness is identified as CWE‑352.

Affected Systems

The flaw affects the InterServer Mail Baby SMTP WordPress plugin through version 2.8 inclusive. Any WordPress installation that has this plugin installed and a user with sufficient privileges could be impacted, regardless of the host environment.

Risk and Exploitability

With a CVSS score of 4.3 the severity is moderate; the EPSS score of less than 1 % indicates a low probability of currently observed exploitation. The vulnerability is not listed in CISA’s KEV catalog. Inferred attack vectors involve a malicious site tricking a legitimate user into visiting a crafted page or link that triggers the vulnerable action. No advanced prerequisites are noted, but the attack requires the victim to be authenticated to the WordPress site and to possess a role that can access the plugin’s functionality.

Generated by OpenCVE AI on April 30, 2026 at 06:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mail Baby SMTP version 2.9 or later, which removes the CSRF flaw.
  • Verify that the plugin’s CSRF protection mechanisms (non‑ces, referer checks) are enabled and correctly configured in the settings page.
  • As a temporary workaround, restrict the plugin’s access to administrators only or suspend the plugin if an immediate update is not possible.

Generated by OpenCVE AI on April 30, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30632 Cross-Site Request Forgery (CSRF) vulnerability in InterServer Mail Baby SMTP allows Cross Site Request Forgery. This issue affects Mail Baby SMTP: from n/a through 2.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in InterServer Mail Baby SMTP allows Cross Site Request Forgery. This issue affects Mail Baby SMTP: from n/a through 2.8. Cross-Site Request Forgery (CSRF) vulnerability in InterServer Mail Baby SMTP mail-baby-smtp allows Cross Site Request Forgery.This issue affects Mail Baby SMTP: from n/a through <= 2.8.
Title WordPress Mail Baby SMTP Plugin <= 2.8 - Cross Site Request Forgery (CSRF) Vulnerability WordPress Mail Baby SMTP plugin <= 2.8 - Cross Site Request Forgery (CSRF) vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Interserver
Interserver mail Baby Smtp
Wordpress
Wordpress wordpress
Vendors & Products Interserver
Interserver mail Baby Smtp
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in InterServer Mail Baby SMTP allows Cross Site Request Forgery. This issue affects Mail Baby SMTP: from n/a through 2.8.
Title WordPress Mail Baby SMTP Plugin <= 2.8 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Interserver Mail Baby Smtp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:40.183Z

Reserved: 2025-08-22T11:37:23.200Z

Link: CVE-2025-57992

cve-icon Vulnrichment

Updated: 2025-09-23T14:35:25.952Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:59.820

Modified: 2026-04-23T15:33:11.783

Link: CVE-2025-57992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:45:16Z

Weaknesses