SolidWP recently discovered and resolved multiple security vulnerabilities in key plugins. We are sharing full details to ensure transparency and help you take appropriate action.

Solid Mail: Vulnerability Disclosure

On September 17, 2024, we launched a major update to WP SMTP, reintroducing the plugin under the SolidWP brand as Solid Mail. This update included a comprehensive design refactor and a complete rebuild of the Mail Logs screen.

We were notified on April 24, 2025, of an unauthenticated stored XSS vulnerability, assigned CVE-2025-1123, by a researcher in the WordPress security community, zer0gh0st. The vulnerability was specifically found in the Mail Logs screen of Solid Mail.

What Was Affected

The vulnerability allowed malicious JavaScript code to execute when an admin user loaded the Mail Logs screen containing a specially crafted log entry. If exploited, this vulnerability could allow an attacker to:

• Create new WordPress admin accounts
• Execute arbitrary code remotely
• Repeatedly trigger the exploit as long as the malicious log entry persists

Malicious log entries could be inserted through attacker-controlled email data, for instance, through standard comment forms or contact form submissions containing harmful scripts.

During our internal investigation, we also uncovered a second vulnerability: a Serialized Injection issue. While not directly exploitable on its own, in combination with a Pop Chain vulnerability, this could allow for:

• Remote code execution
• Admin account access
• Data corruption in the WordPress database

To our knowledge, no active exploits of these vulnerabilities in Solid Mail 2.0+ have been reported in the wild at the time of this announcement. 

Solid Performance, Solid Security, and Solid Backups Legacy

On April 25, 2025, we became aware of a public report disclosing a low-risk security vulnerability affecting several SolidWP plugins, specifically within the Telemetry module. This module collects and transmits plugin/site usage data on an opt-in basis and is shared across multiple StellarWP products, including:

• Solid Performance – 1.0+
• Solid Security – Basic 9.3.0+, Pro 8.3.0+
• Solid Backups Legacy – 9.1.14+

Key Points About the Telemetry Vulnerability:

• This was not a high-impact vulnerability. It involved insufficient privilege checking when users attempted to change their opt-in/out status for telemetry sharing.
• If exploited, an attacker could toggle the opt-in status to “off,” stopping telemetry data from being collected and transmitted.
• No other site data or core plugin functionality would be affected.
• At the time of writing, there is no evidence of this vulnerability being actively exploited prior to today’s patch. However, due to the public disclosure, we recommend updating immediately.

Our Immediate Response:

• Telemetry Fixes: Patched the Telemetry library to enforce stricter admin privilege checks.
• Plugin Updates: Released updates for Solid Performance, Solid Security, and Solid Backups Legacy (along with other SolidWP plugins using the shared Telemetry library).
• Security Reporting: Notified Patchstack of the vulnerabilities.

There are no known adverse effects from applying these updates.

Next Steps for SolidWP Plugin Users

Please take the following actions immediately:

• Update to the latest versions of Solid Mail and Solid Performance (and any related Solid Suite plugins).
  • If you use Solid Central, your plugins have already been updated automatically.
• Review your Mail Logs screen and delete any suspicious entries if present.
• No action is required regarding telemetry settings unless you wish to manually adjust your opt-in/out preference.

Conclusion

SolidWP remains committed to proactive security practices and transparent communication. While vulnerabilities are an unfortunate reality in software development, our team is dedicated to addressing them transparently, swiftly, and responsibly.

We appreciate the security community’s assistance in helping keep WordPress users safe, and we thank you for trusting SolidWP.

Stay informed by subscribing to our blog, where we regularly post updates and best practices for securing your WordPress sites.