Overview
This article details a medium-severity authorization bypass vulnerability identified as CVE-2025-12887 affecting the Post SMTP plugin for WordPress, versions up to and including 3.6.1. This vulnerability allows authenticated attackers (subscriber level and above) to inject invalid or attacker-controlled OAuth credentials, potentially compromising email sending functionality and associated data.
Technical Details
The vulnerability resides in the handle_gmail_oauth_redirect function of the Post SMTP plugin. The core issue is that the plugin fails to adequately verify if the user accessing this function is authorized to update OAuth tokens. An attacker with an authenticated WordPress account (even with minimal privileges like a subscriber role) can exploit this oversight to manipulate the OAuth settings, effectively gaining control over the plugin’s email sending capabilities using Gmail.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12887 is 5.4, indicating a MEDIUM severity vulnerability. This score reflects the following factors:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L)
- Availability Impact (A): None (N)
While the confidentiality and availability impacts are none, the potential for integrity impact contributes to the medium severity rating. Successfully exploiting this vulnerability can lead to unauthorized email sending and potential manipulation of email content.
Possible Impact
Exploitation of CVE-2025-12887 can have several negative consequences:
- Unauthorized Email Sending: Attackers can send emails from the compromised WordPress installation without proper authorization.
- Spoofing and Phishing: Attackers can spoof email addresses and conduct phishing campaigns using the compromised email account.
- Data Exfiltration (Indirect): If sensitive data is routinely transmitted via email through the Post SMTP plugin, an attacker might be able to access this data.
- Reputation Damage: Spam and phishing activities originating from a compromised website can severely damage its reputation.
Mitigation and Patch Steps
The primary mitigation for CVE-2025-12887 is to update the Post SMTP plugin to the latest version. Versions released after 3.6.1 contain a fix that addresses the authorization bypass vulnerability.
- Log in to your WordPress dashboard.
- Navigate to Plugins > Installed Plugins.
- Locate the Post SMTP plugin.
- If an update is available, click the “Update Now” link.
- Verify that the plugin version is higher than 3.6.1 after the update.
If you cannot update the plugin immediately, consider temporarily disabling it until you can apply the update. Also, review user roles and permissions to ensure that only trusted users have administrative access.
References
- WordPress.org Changeset: https://plugins.trac.wordpress.org/changeset/3402203
- Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd9f312-99e1-4dc2-855d-90339c2e24da?source=cve
