CVE-2025-28981: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Soli WP Mail Options plugin that allows Stored Cross-Site Scripting (XSS). The vulnerability affects versions through 0.2.3 of the WP Mail Options plugin. This security issue was discovered by Nguyen Xuan Chien and was publicly disclosed on June 5, 2025 (Patchstack Report).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The security issue allows unauthenticated attackers to exploit CSRF vulnerabilities that can lead to stored XSS attacks (NVD Database, Patchstack Report).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored cross-site scripting attacks. The security issue has been classified as having a low severity impact, though it maintains a high CVSS score (Patchstack Report).

As of the vulnerability disclosure, no official fix is available for this security issue. The vulnerability affects versions through 0.2.3 of the WP Mail Options plugin (Patchstack Report).