Description
Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF).

This issue affects Zoho Mail wordpress plugin versions before 1.6.2.
Published: 2026-05-26
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zoho Mail WordPress plugin contains a Cross‑Site Request Forgery (CSRF) vulnerability affecting all releases older than 1.6.2. The weakness, identified as CWE‑352, allows an attacker to embed specially crafted requests into a webpage that a logged‑in user will unknowingly submit. Based on the description, it is inferred that an attacker could compel the user’s browser to perform mail‑related actions—such as modifying account settings or sending emails—without the user’s consent. The impact is that an authenticated WordPress user could unintentionally alter sensitive mail settings or trigger spam‑like messages.

Affected Systems

WordPress sites that have installed Zoho Corp’s Zoho Mail WordPress plugin and are running a version earlier than 1.6.2 are affected. These installations may coexist with other plugins or themes, but the vulnerability resides solely in the plugin’s request handling logic.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread public exploitation to date. The likely attack vector is a CSRF attack launched through a malicious website or deceptive link that forces the victim’s authenticated browser to send a request to the plugin’s endpoints. The flaw does not provide code execution or unauthenticated access; it requires the victim to already be logged into WordPress and to have the plugin enabled.

Generated by OpenCVE AI on May 26, 2026 at 15:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zoho Mail WordPress plugin to version 1.6.2 or later.
  • If an upgrade is not immediately possible, deactivate the plugin to block CSRF‑enabled actions until a fix is applied.
  • Implement a web‑application‑firewall rule that blocks POST requests to the plugin’s paths unless they contain a valid CSRF token or originate from the same site.
  • Monitor WordPress logs for anomalous plugin activity such as unexpected configuration changes or bulk email sending that may indicate exploitation attempts.

Generated by OpenCVE AI on May 26, 2026 at 15:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF). This issue affects Zoho Mail wordpress plugin versions before 1.6.2.
Title Cross-site Request Forgery
First Time appeared Zohocorp
Zohocorp zoho Mail Wordpress Plugin
Weaknesses CWE-352
CPEs cpe:2.3:a:zohocorp:zoho_mail_wordpress_plugin:*:*:*:*:*:*:*:*
Vendors & Products Zohocorp
Zohocorp zoho Mail Wordpress Plugin
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
Zohocorp Zoho Mail Wordpress Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: Zohocorp

Published:

Updated: 2026-05-26T14:42:42.684Z

Reserved: 2026-05-08T14:52:22.288Z

Link: CVE-2026-8174

cve-icon Vulnrichment

Updated: 2026-05-26T14:42:37.674Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T14:16:41.107

Modified: 2026-05-26T19:06:58.447

Link: CVE-2026-8174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:05:21Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)