CVE-2025-0521
Published: 18 February 2025
Summary
CVE-2025-0521 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wpexperts Post Smtp. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly counters insufficient input sanitization of 'from' and 'subject' parameters by enforcing validation to reject XSS payloads before storage.
Addresses lack of output escaping by filtering rendered content to neutralize injected scripts before execution in user browsers.
Mandates timely flaw remediation, such as updating the Post SMTP plugin beyond version 3.0.2 to patch the sanitization issues.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly matches T1190 exploitation; enables arbitrary JavaScript execution (T1059.007) and browser session hijacking (T1185) via injected scripts.
NVD Description
The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…
more
attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Deeper analysisAI
CVE-2025-0521 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, in the Post SMTP plugin for WordPress. It affects all versions up to and including 3.0.2 due to insufficient input sanitization and output escaping of the "from" and "subject" parameters. This flaw enables the injection of arbitrary web scripts into pages, which was publicly disclosed on 2025-02-18 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity and no privileges or user interaction required. By submitting malicious payloads via the affected parameters, they can store scripts on the site that execute in the context of any user's browser when accessing the injected page, potentially leading to session hijacking, data theft, or further site compromise given the changed scope in the CVSS vector.
Mitigation details are available in advisories from Wordfence and the WordPress plugin trac repository. The plugin's trunk saw a relevant changeset from revision 3229076 to 3237626, indicating a patch that addresses the sanitization issues in versions beyond 3.0.2. Security practitioners should urge WordPress site owners to update the Post SMTP plugin immediately.
Details
- CWE(s)