Stored Cross-Site Scripting in Solid Mail SMTP Plugin by SolidWP
CVE-2025-1123

7.2HIGH

Key Information:

Vendor: WordPress
Status: Solid Mail – Smtp Email And Logging Made By SolidWP
Vendor: CVE Published:; 23 May 2025

What is CVE-2025-1123?

The Solid Mail SMTP plugin for WordPress, developed by SolidWP, is susceptible to a Stored Cross-Site Scripting flaw due to inadequate input sanitization and output escaping. This vulnerability allows attackers to inject malicious web scripts through email Name, Subject, and Body. When users access pages that contain these malicious scripts, the inserted code can be executed without authentication, potentially compromising user data and site integrity.

Affected Version(s)

Solid Mail – SMTP email and logging made by SolidWP * <= 2.1.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3283671/wp-smtp

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

D.Sim