CVE-2025-0916

CVE-2025-0916 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress in versions 2.4.9 through 2.6.2. The flaw stems from insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts into pages. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N). Notably, the issue was initially addressed in version 2.4.8 but reintroduced in 2.4.9 due to the removal of WordPress's built-in wp_kses_post() sanitization function.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By injecting malicious scripts into plugin-managed pages, attackers achieve code execution in the context of any user who subsequently accesses those pages, potentially leading to low-level impacts on confidentiality and integrity, such as session hijacking or data theft, with the vulnerability's scope-changing nature amplifying risks across affected sites.

Advisories, including those from Wordfence, recommend updating to a patched version of the plugin beyond the vulnerable range, as evidenced by source code changesets in the WordPress plugin trac (e.g., changeset 3238172) and related functions in Functions.php and Utils.php. The plugin's developer page on WordPress.org provides further details on updates and remediation.