Description
Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Cross Site Request Forgery (CSRF) in the WordPress Gmail SMTP plugin versions up to 1.2.3.19. An attacker can trigger plugin operations without authentication by forging a web request, potentially altering SMTP configuration or causing the site to send emails without authorization. This can compromise the integrity of the application and facilitate the delivery of phishing or spam emails. The weakness is classified as CWE‑352.

Affected Systems

The affected product is the Gmail SMTP plugin for WordPress developed by Noor Alam. Versions 1.2.3.19 and earlier are vulnerable. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score is not available, suggesting limited data on exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a victim who is authenticated to the WordPress site visiting a malicious web page that submits a forged request to the plugin’s endpoint. Successful exploitation would allow an attacker to modify plugin settings or use the site to send unauthorized emails, but would require the victim’s browser to be active and authenticated. Given the lack of a broader exploit or zero‑day status, the overall risk remains moderate but still actionable.

Generated by OpenCVE AI on June 26, 2026 at 17:38 UTC.

Remediation

Vendor Solution

Update the WordPress Gmail SMTP Plugin to the latest available version (at least 1.2.3.20).

OpenCVE Recommended Actions

  • Upgrade the WordPress Gmail SMTP Plugin to version 1.2.3.20 or later.
  • If an immediate upgrade is not possible, temporarily disable the Gmail SMTP plugin until the update is applied.
  • Verify that no legacy CSRF endpoints remain by reviewing plugin code or audit logs after the update.

Generated by OpenCVE AI on June 26, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in Gmail SMTP <= 1.2.3.19 versions.
Title WordPress Gmail SMTP plugin <= 1.2.3.19 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:42:14.355Z

Reserved: 2026-06-25T08:03:29.941Z

Link: CVE-2026-57657

cve-icon Vulnrichment

Updated: 2026-06-26T17:26:36.166Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)