PatchSiren cyber security CVE debrief
CVE-2025-67972 Zoho Mail CVE debrief
CVE-2025-67972 describes a missing authorization / broken access control issue affecting Zoho ZeptoMail through version 3.2.9. The supplied NVD record assigns a medium CVSS score (4.3) and indicates limited impact (availability only) with low privileges required. Because the source corpus is mixed on product naming and vendor attribution, treat this as a real access-control finding tied to the referenced Zoho ZeptoMail / TransMail plugin lineage, but verify the exact installed package and version in your environment before applying remediation.
- Vendor
- Zoho Mail
- Product
- Zoho ZeptoMail
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-02-20
- Advisory updated
- 2026-05-21
Who should care
Administrators of WordPress sites using the Zoho ZeptoMail/TransMail plugin, security teams responsible for plugin inventory and access control review, and anyone operating environments where low-privilege authenticated users can reach plugin actions or administrative endpoints.
Technical summary
The vulnerability is characterized as missing authorization (CWE-862) / incorrectly configured access control. Per the supplied CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L), exploitation requires network access and low privileges, with no user interaction. The record suggests the issue can let an authenticated actor reach functionality that should be restricted. The corpus ties the issue to Zoho ZeptoMail through 3.2.9 and references a Patchstack advisory for the WordPress plugin path. NVD currently shows the record as Deferred, so corroborate the affected package/version and any vendor guidance before making assumptions about exposure scope.
Defensive priority
Medium. Prioritize if the plugin is installed and reachable by authenticated users, especially in sites with delegated roles or multiple admins. The impact appears limited, but broken authorization flaws can still expose administrative functions or disrupt service workflows if left unaddressed.
Recommended defensive actions
- Inventory all WordPress instances for the Zoho ZeptoMail / TransMail plugin and confirm installed versions.
- If version 3.2.9 or earlier is present, apply the vendor or advisory-referenced fix as soon as it is available.
- Review role-based access to plugin pages, AJAX handlers, REST endpoints, and admin actions for unauthorized access paths.
- Temporarily restrict plugin access to trusted administrator roles until remediation is complete.
- Monitor authentication and administrative action logs for unusual access patterns involving the plugin.
- Re-test after remediation to confirm that restricted actions now return authorization failures for non-privileged users.
Evidence notes
The debrief is based only on the supplied corpus: the CVE description, NVD metadata, and the Patchstack reference URL. The CVE description states 'Missing Authorization vulnerability in Zoho Mail Zoho ZeptoMail' and affected versions through 3.2.9. The NVD metadata provides CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, CWE-862, and vulnStatus Deferred. Because the vendor field in the prompt is low-confidence and the reference URL points to a WordPress plugin path ('transmail'), product naming should be verified in the target environment.
Official resources
-
CVE-2025-67972 CVE record
CVE.org
-
CVE-2025-67972 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
Published in the supplied sources on 2026-02-20 and last modified on 2026-05-21. The NVD record in the corpus is marked Deferred. No KEV entry is provided in the supplied data.