CVE-2025-1123 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the Solid Mail – SMTP email and logging plugin developed by SolidWP for WordPress. This vulnerability exists in all versions up to and including 2.1.5 due to improper input sanitization and insufficient output escaping of user-supplied data fields such as email Name, Subject, and Body. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript payloads into these fields, which are then stored and rendered on pages accessed by other users or administrators. Because the vulnerability is stored XSS, the malicious script persists on the server and executes whenever the infected page is viewed, potentially allowing attackers to hijack user sessions, steal sensitive information, perform actions on behalf of users, or deliver further malware. The CVSS 3.1 base score of 7.2 reflects the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction needed, and a scope change, with limited confidentiality and integrity impacts but no availability impact. No known exploits are currently reported in the wild, but the vulnerability's characteristics make it a significant risk, especially for websites relying on this plugin for email handling and logging. The lack of available patches at the time of publication further increases the urgency for mitigation.

For European organizations using WordPress websites with the Solid Mail plugin, this vulnerability poses a substantial risk to the confidentiality and integrity of their web applications. Attackers could leverage this flaw to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, defacement, or unauthorized actions within the WordPress admin interface. This is particularly critical for organizations handling sensitive customer data or internal communications via email. The vulnerability's exploitation could undermine trust in affected websites, cause data breaches, and disrupt business operations. Given the widespread use of WordPress across Europe, especially among SMEs and public sector entities, the impact could be broad. Additionally, the vulnerability's unauthenticated nature means attackers do not require any credentials, increasing the likelihood of exploitation. The absence of known exploits currently provides a window for proactive defense, but the risk remains high due to the ease of exploitation and potential for significant damage.

European organizations should immediately assess their WordPress environments to identify installations of the Solid Mail – SMTP email and logging plugin. Until an official patch is released, organizations should consider the following specific mitigations: 1) Disable or uninstall the Solid Mail plugin if it is not essential to operations. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the email Name, Subject, and Body fields to prevent malicious script injection. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 4) Conduct thorough input validation and output encoding on any custom integrations or overrides related to the plugin. 5) Monitor logs for unusual activity or attempts to inject scripts via email fields. 6) Educate administrators and users about the risk of clicking on suspicious links or emails that may exploit this vulnerability. 7) Plan for rapid deployment of patches or updates once they become available from SolidWP. These targeted actions go beyond generic advice by focusing on the specific plugin and attack vectors involved.