CVE-2013-2107

Mail On Update < 5.1.0 - Cross-Site Request Forgery via mailonupdate_mailto Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-2107. PoCs published by Henri Salo.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in the Mail On Update WordPress plugin, allowing an attacker to modify the plugin's email settings via a crafted HTML form. The PoC submits a POST request to update the 'mailonupdate_mailto' parameter without requiring user authentication.

Description

Cross-site request forgery (CSRF) vulnerability in the Mail On Update plugin before 5.2.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change the "List of alternative recipients" via the mailonupdate_mailto parameter in the mail-on-update page to wp-admin/options-general.php. NOTE: a third party claims that 5.2.1 and 5.2.2 are also vulnerable, but the issue might require a separate CVE identifier since this might reflect an incomplete fix.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Henri Salo · htmlwebappsphp

https://www.exploit-db.com/exploits/38517

View Code ZIP pw:eip

This exploit demonstrates a CSRF vulnerability in the Mail On Update WordPress plugin, allowing an attacker to modify the plugin's email settings via a crafted HTML form. The PoC submits a POST request to update the 'mailonupdate_mailto' parameter without requiring user authentication.

Classification

Working Poc 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Mail On Update WordPress plugin 5.1.0

No auth needed

Prerequisites: Victim must visit a malicious webpage while authenticated to the WordPress admin panel

MITRE ATT&CK

T1556.002 - Password Filter DLL

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Patch, Vendor Advisory x_refsource_confirm

http://wordpress.org/plugins/mail-on-update/changelog

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/53449

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/93452

Exploit mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2013/q2/356

Scores

EPSS 0.0321

EPSS Percentile 86.4%

Details

CWE

CWE-352

Status published

Products (2)

mail_on_update_project/mail_on_update 5.0.0

mail_on_update_project/mail_on_update < 5.1.0

Published May 23, 2014

Tracked Since Feb 18, 2026