Published:2026/06/03 Last Updated:2026/06/03
JVN#24733221
WordPress Plugin "Zoho Mail for WordPress" vulnerable to cross-site request forgery
Overview
WordPress plugin "Zoho Mail for WordPress" provided by Zoho Corporation contains a cross-site request forgery vulnerability.
Products Affected
- Zoho Mail for WordPress versions prior to 1.6.2
Description
WordPress Plugin "Zoho Mail for WordPress" provided by Zoho Corporation contains the following vulnerability.
- Cross-site request forgery (CWE-352)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.1
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2026-8174
Impact
On the site with the affected version of the plugin enabled, when a logged-in administrative user accesses some malicious page, an unintended POST request may be sent to tamper the configuration parameters.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Zoho Corporation | Zoho Mail for WordPress |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Norio Abe reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2026-000081 |