Stored Cross-Site Scripting in YaySMTP Plugin for WordPress
CVE-2023-3093

7.2HIGH

Key Information:

Vendor: WordPress
Status: Yaysmtp – Simple WP Smtp Mail
Vendor: CVE Published:; 12 July 2023

What is CVE-2023-3093?

The YaySMTP plugin for WordPress has a vulnerability that allows stored cross-site scripting due to inadequate input validation and output escaping. Unauthenticated attackers can leverage this flaw to inject arbitrary web scripts into email content, which will be executed on pages accessed by users. This poses a significant security risk for sites utilizing affected versions of the plugin, where malicious scripts could potentially compromise user sessions or redirect users to harmful sites.

Affected Version(s)

YaySMTP – Simple WP SMTP Mail 2.4.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/2922163/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jun 4, 2023

Credit

Alex Thomas