CVE-2025-1488

low-risk

Published 2025-02-24

The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.7/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Microsoft 365 Graph Mailer

Affected Vendors

Wpo365

References (4)

Patch https://plugins.trac.wordpress.org/changeset/3244747/

Release Notes https://wordpress.org/plugins/wpo365-msgraphmailer/#developers

Third Party Advisory https://www.wordfence.com/threat-intel/vulnerabilities/id/3a1782c3-ae0b-42f1-aa5...

Product https://www.wpo365.com/change-log/

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal