CVE-2025-0918

CVE-2025-0918, published on 2025-02-22, is a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the SMTP for SendGrid – YaySMTP plugin for WordPress, affecting versions up to and including 1.4. The flaw arises from insufficient input sanitization and output escaping, earning a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By injecting arbitrary web scripts into pages, attackers cause the scripts to execute in users' browsers whenever those pages are accessed, enabling potential theft of session data or manipulation of page content with low confidentiality and integrity impacts under a changed scope.

Advisories and patches are detailed in references including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/b98f2a85-9535-4bf5-900c-f4f630c7b502?source=cve, the plugin's Trac changeset 3270556 at https://plugins.trac.wordpress.org/changeset/3270556/, affected code in Functions.php at https://plugins.trac.wordpress.org/browser/smtp-sendgrid/trunk/includes/Functions.php, and the plugin's developer page at https://wordpress.org/plugins/smtp-sendgrid/#developers. Practitioners should consult these for patch details and apply updates accordingly.