The SMTP Mail plugin for WordPress contains a Cross-Site Request Forgery flaw that allows an attacker to trick a logged-in administrator into unknowingly executing privileged actions on the site. Based on the description, it is inferred that the attacker targets an authenticated administrator via the plugin’s administrative endpoints. Because the vulnerability is not tied to a specific input value, an attacker can manipulate the typical "settings" or "send test email" endpoints to alter configuration, potentially redirecting mail flow or exposing credentials. This constitutes a loss of integrity for site administrators, with indirect implications for confidentiality if configuration changes expose sensitive data. The vulnerability does not provide direct remote code execution or denial of service but can enable unauthorized changes to the host environment.

The flaw affects the photoboxone "SMTP Mail" plugin for WordPress. All releases from the earliest release through version 1.3.51 are vulnerable. No specific sub-version details are available beyond the upper bound of 1.3.51.

Based on the description, it is inferred that attackers would attempt to exploit the vulnerability via a crafted link or script that loads the plugin’s administrative URL in an authenticated session. The CVSS score of 4.3 indicates a moderate severity level, while the EPSS < 1% signals a very low likelihood that the vulnerability is actively exploited. The plugin is not listed in the CISA KEV catalog, further suggesting that no widespread exploitation has been reported. Attackers are likely to exploit the issue via a crafted link or script that loads the plugin’s administrative URL in an authenticated session, taking advantage of a missing CSRF token in the request, a typical CWE-352 Cross-Site Request Forgery weakness.