CVE-2025-0957
Published: 22 February 2025
Summary
CVE-2025-0957 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 46.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
The SMTP for Amazon SES – YaySMTP plugin for WordPress is affected by a stored cross-site scripting vulnerability (CWE-79) in versions up to and including 1.7.1. The flaw stems from insufficient input sanitization and output escaping on user-supplied data, allowing arbitrary script injection that persists and executes in the context of other users' browsers. The issue carries a CVSS 3.1 score of 7.2 with network attack vector, low complexity, and no required authentication or user interaction.
Unauthenticated attackers can exploit the vulnerability by submitting crafted input that is stored by the plugin and later rendered when an administrator or other user views the affected page. Successful exploitation enables the attacker to execute scripts that may steal session tokens, perform actions on behalf of the victim, or deface content within the WordPress site.
Public references point to a patched changeset (3270161) in the plugin repository along with updated files in the trunk, indicating that upgrading beyond version 1.7.1 addresses the input handling deficiencies. The Wordfence advisory and WordPress plugin directory entries provide further details on the remediation timeline.
EPSS for the CVE rose from a low baseline to a peak of 0.0113, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4436
Vulnerability details
The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…
more
arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables injection into public web app (T1190) and subsequent drive-by script execution against visitors (T1189).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces input validation to block malicious script injection into the YaySMTP plugin due to insufficient sanitization.
Mandates output filtering on affected plugin pages to prevent execution of injected scripts from poor escaping.
Ensures timely patching of the stored XSS flaw in YaySMTP versions up to 1.7.1 to remediate sanitization and escaping deficiencies.