Cross-Site Request Forgery Vulnerability in Zoho Mail Plugin for WordPress
CVE-2026-8174

5.7MEDIUM

Key Information:

Vendor: WordPress
Status: Zoho Mail WordPress Plugin
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-8174?

The Zoho Mail WordPress plugin is susceptible to a Cross-Site Request Forgery (CSRF) attack, which can allow unauthorized actions to be performed on behalf of authenticated users. Malicious actors could exploit this vulnerability to initiate actions that may compromise user accounts and site integrity. To mitigate this risk, users should ensure they are running version 1.6.2 or higher of the Zoho Mail plugin and regularly review security practices.

Affected Version(s)

Zoho Mail wordpress plugin 0 < 1.6.2

References

https://wordpress.org/plugins/zoho-mail/#developers

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-8174 Data

JSON