CVE-2025-0918
Published: 22 February 2025
Summary
CVE-2025-0918 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Yaycommerce Yaysmtp. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stored XSS flaw in the YaySMTP plugin by identifying, reporting, and applying patches to fix insufficient input sanitization and output escaping.
Enforces information input validation at system entry points to block injection of arbitrary web scripts exploiting the plugin's sanitization deficiency.
Implements output filtering techniques, such as web application firewalls, to prevent execution of injected scripts due to the plugin's inadequate output escaping.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables remote exploitation of a public-facing WordPress plugin (T1190) and arbitrary JavaScript execution in user browsers (T1059.007), facilitating session hijacking (T1185).
NVD Description
The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary…
more
web scripts in pages that will execute whenever a user accesses an injected page.
Deeper analysisAI
CVE-2025-0918, published on 2025-02-22, is a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the SMTP for SendGrid – YaySMTP plugin for WordPress, affecting versions up to and including 1.4. The flaw arises from insufficient input sanitization and output escaping, earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By injecting arbitrary web scripts into pages, attackers cause the scripts to execute in users' browsers whenever those pages are accessed, enabling potential theft of session data or manipulation of page content with low confidentiality and integrity impacts under a changed scope.
Advisories and patches are detailed in references including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b98f2a85-9535-4bf5-900c-f4f630c7b502?source=cve, the plugin's Trac changeset 3270556 at https://plugins.trac.wordpress.org/changeset/3270556/, affected code in Functions.php at https://plugins.trac.wordpress.org/browser/smtp-sendgrid/trunk/includes/Functions.php, and the plugin's developer page at https://wordpress.org/plugins/smtp-sendgrid/#developers. Practitioners should consult these for patch details and apply updates accordingly.
Details
- CWE(s)