← Back to CVEs
CVE-2025-1488
MEDIUM4.7
Description
The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.
CVE Details
CVSS v3.1 Score4.7
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published2/24/2025
Last Modified3/27/2025
Sourcenvd
Honeypot Sightings0
Affected Products
wpo365:microsoft_365_graph_mailer
Weaknesses (CWE)
CWE-601CWE-601
References
https://plugins.trac.wordpress.org/changeset/3244747/(security@wordfence.com)
https://wordpress.org/plugins/wpo365-msgraphmailer/#developers(security@wordfence.com)
https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1782c3-ae0b-42f1-aa5e-dabfa2a5bbcd?source=cve(security@wordfence.com)
https://www.wpo365.com/change-log/(security@wordfence.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.