CVE-2025-0916
Published: 19 February 2025
Summary
CVE-2025-0916 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Yaycommerce Yaysmtp. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient input sanitization in the WordPress plugin that allows unauthenticated attackers to inject arbitrary web scripts.
Mitigates the lack of output escaping by filtering injected scripts before they execute in users' browsers when accessing affected pages.
Requires timely remediation of the known flaw through plugin updates, as recommended by advisories to patch versions beyond 2.6.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables remote exploitation of the web app (T1190) to inject/execute arbitrary JavaScript (T1059.007) in victim browsers, facilitating session hijacking (T1185).
NVD Description
The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes…
more
it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function.
Deeper analysisAI
CVE-2025-0916 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress in versions 2.4.9 through 2.6.2. The flaw stems from insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts into pages. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Notably, the issue was initially addressed in version 2.4.8 but reintroduced in 2.4.9 due to the removal of WordPress's built-in wp_kses_post() sanitization function.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts into plugin-managed pages, attackers achieve code execution in the context of any user who subsequently accesses those pages, potentially leading to low-level impacts on confidentiality and integrity, such as session hijacking or data theft, with the vulnerability's scope-changing nature amplifying risks across affected sites.
Advisories, including those from Wordfence, recommend updating to a patched version of the plugin beyond the vulnerable range, as evidenced by source code changesets in the WordPress plugin trac (e.g., changeset 3238172) and related functions in Functions.php and Utils.php. The plugin's developer page on WordPress.org provides further details on updates and remediation.
Details
- CWE(s)