Cyber Resilience

CVE-2025-0957

High

Published: 22 February 2025

Published
22 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0029 53.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0957 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 46.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

The SMTP for Amazon SES – YaySMTP plugin for WordPress is affected by a stored cross-site scripting vulnerability (CWE-79) in versions up to and including 1.7.1. The flaw stems from insufficient input sanitization and output escaping on user-supplied data, allowing arbitrary script injection that persists and executes in the context of other users' browsers. The issue carries a CVSS 3.1 score of 7.2 with network attack vector, low complexity, and no required authentication or user interaction.

Unauthenticated attackers can exploit the vulnerability by submitting crafted input that is stored by the plugin and later rendered when an administrator or other user views the affected page. Successful exploitation enables the attacker to execute scripts that may steal session tokens, perform actions on behalf of the victim, or deface content within the WordPress site.

Public references point to a patched changeset (3270161) in the plugin repository along with updated files in the trunk, indicating that upgrading beyond version 1.7.1 addresses the input handling deficiencies. The Wordfence advisory and WordPress plugin directory entries provide further details on the remediation timeline.

EPSS for the CVE rose from a low baseline to a peak of 0.0113, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…

more

arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stored XSS enables injection into public web app (T1190) and subsequent drive-by script execution against visitors (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13329Shared CWE-79
CVE-2026-1216Shared CWE-79
CVE-2025-13002Shared CWE-79
CVE-2025-27500Shared CWE-79
CVE-2026-1931Shared CWE-79
CVE-2025-28917Shared CWE-79
CVE-2025-59057Shared CWE-79
CVE-2024-56267Shared CWE-79
CVE-2025-69318Shared CWE-79
CVE-2025-23839Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces input validation to block malicious script injection into the YaySMTP plugin due to insufficient sanitization.

prevent

Mandates output filtering on affected plugin pages to prevent execution of injected scripts from poor escaping.

prevent

Ensures timely patching of the stored XSS flaw in YaySMTP versions up to 1.7.1 to remediate sanitization and escaping deficiencies.

References