CVE-2025-0916 in YaySMTP and Email Logs Plugininfo

Summary

by MITRE • 02/19/2025

The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/19/2025

The vulnerability identified as CVE-2025-0916 affects the YaySMTP and Email Logs plugin for WordPress, which provides integration capabilities with various email service providers including Amazon SES, SendGrid, Outlook, Mailgun, Brevo, and Google SMTP services. This plugin serves as a critical component for WordPress sites that require robust email functionality, making it a potentially attractive target for attackers seeking to exploit weaknesses in email handling systems. The vulnerability exists within versions 2.4.9 through 2.6.2, with the issue being particularly concerning due to the persistence nature of stored cross-site scripting attacks that can affect administrators and other privileged users who access compromised pages.

The technical flaw stems from insufficient input sanitization and output escaping mechanisms within the plugin's code implementation. Specifically, the vulnerability was initially addressed in version 2.4.8 through the implementation of wp_kses_post() function, which serves as WordPress's built-in sanitization mechanism designed to remove potentially dangerous HTML content while preserving safe formatting. However, this protective measure was subsequently removed in version 2.4.9, inadvertently reintroducing the XSS vulnerability. The flaw allows unauthenticated attackers to inject malicious scripts into the plugin's administrative interfaces or email logs, where these scripts are then executed whenever legitimate users access the affected pages. This stored nature of the vulnerability means that the malicious code persists in the system until manually removed, making it particularly dangerous for long-term compromise.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with potential access to sensitive administrative functions within WordPress installations. When administrators or other privileged users view email logs or administrative interfaces containing the injected scripts, the malicious code executes in their browser context, potentially leading to session hijacking, privilege escalation, or data exfiltration. The vulnerability aligns with CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities, and represents a classic case where the removal of proper sanitization functions creates exploitable entry points. Attackers could leverage this vulnerability to perform actions such as stealing administrator cookies, modifying email configurations, or even gaining complete control over the WordPress installation through more sophisticated attack chains.

Security practitioners should immediately implement mitigation strategies including updating to patched versions of the plugin, implementing proper input validation at multiple layers, and monitoring for suspicious activity in email logs. The ATT&CK framework categorizes this vulnerability under T1059.001 for Command and Scripting Interpreter, specifically through the execution of malicious scripts in user contexts. Organizations should also consider implementing Content Security Policy headers to mitigate the impact of potential XSS attacks, though this provides only defense-in-depth rather than complete protection. Regular security audits of WordPress plugins and themes remain essential, as this vulnerability demonstrates how seemingly minor code changes can introduce critical security regressions. The incident also highlights the importance of maintaining proper version control and regression testing procedures, particularly when removing security functions that were previously implemented to protect against known attack vectors.

Responsible

Wordfence

Reservation

01/31/2025

Disclosure

02/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00352

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!