CVE-2025-1123 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Solid Mail – SMTP email and logging plugin developed by SolidWP for WordPress. This vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The issue stems from insufficient sanitization and escaping of user-supplied input fields—specifically the email Name, Subject, and Body—allowing attackers to inject arbitrary JavaScript code that is stored persistently within the plugin’s data. When a legitimate user accesses a page displaying the injected content, the malicious script executes in their browser context. The vulnerability is exploitable remotely without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.2 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with limited confidentiality and integrity impact but no availability impact. The vulnerability affects all versions up to and including 2.1.5 of the plugin. Although no public exploits are currently known, the nature of stored XSS can facilitate session hijacking, credential theft, or further attacks such as privilege escalation or malware distribution. The plugin’s widespread use in WordPress environments makes this a significant concern for website administrators and security teams.

The primary impact of CVE-2025-1123 is the compromise of confidentiality and integrity for users interacting with affected WordPress sites using the Solid Mail plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim’s browser, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of the user. This can result in account compromise, data leakage, and further exploitation of the website or connected systems. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attackers scanning for vulnerable sites. The scope includes all WordPress sites using the affected plugin versions, which may be significant given WordPress’s global market share. The absence of availability impact means the site remains operational, but the trustworthiness and security of user interactions are undermined. Organizations relying on this plugin for email SMTP and logging functionality face reputational damage, regulatory compliance risks, and potential financial losses if exploited.

1. Immediate upgrade: Organizations should update the Solid Mail – SMTP email and logging plugin to a patched version once released by SolidWP. If no patch is available yet, consider temporarily disabling the plugin to prevent exploitation. 2. Input validation and output encoding: Developers and site administrators should ensure that all user-supplied inputs, especially email Name, Subject, and Body fields, are properly sanitized and escaped before rendering in web pages. 3. Web Application Firewall (WAF): Deploy a WAF with rules targeting common XSS payloads to block malicious requests attempting to inject scripts. 4. Content Security Policy (CSP): Implement a strict CSP to restrict execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Monitoring and logging: Enable detailed logging of plugin activity and monitor for unusual input patterns or error messages that may indicate exploitation attempts. 6. User awareness: Educate site administrators and users about the risks of XSS and encourage cautious behavior when interacting with email content or links. 7. Regular security audits: Conduct periodic vulnerability assessments and penetration testing focusing on plugin components and user input handling. 8. Backup and recovery: Maintain regular backups of website data to enable quick restoration in case of compromise.