Stored Cross-Site Scripting in YaySMTP and Email Logs Plugin for WordPress
CVE-2025-0916

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Yaysmtp And Email Logs: Amazon Ses, Sendgrid, Outlook, Mailgun, Brevo, Google And Any Smtp Service
Vendor: CVE Published:; 19 February 2025

What is CVE-2025-0916?

The YaySMTP and Email Logs plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to inadequate input sanitization and output escaping. This flaw allows unauthenticated attackers to inject malicious web scripts that can execute when users access affected pages. The vulnerability was initially addressed in version 2.4.8; however, it resurfaced in version 2.4.9 following the removal of the wp_kses_post() sanitization function. Users of versions 2.4.9 to 2.6.2 are at risk and are advised to upgrade to a patched version to protect against potential exploitation.

Affected Version(s)

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service 2.4.9 <= 2.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Jan 30, 2025

Credit

D.Sim