CVE-2025-0953
Published: 22 February 2025
Description
The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Security Summary
CVE-2025-0953 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting the SMTP for Sendinblue – YaySMTP plugin for WordPress in versions up to and including 1.2. The flaw arises from insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts into pages. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) and was published on 2025-02-22T13:15:11.850.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By injecting malicious scripts, they can have them execute in the context of any user's browser when accessing the affected page, potentially leading to session hijacking, data theft, or further site compromise given the changed scope (S:C).
Advisories and references, including Wordfence threat intelligence and WordPress plugin trac repositories, detail the vulnerable code in files like Functions.php and Utils.php, with changeset 3270561 indicating a patch application. Security practitioners should review these sources for updated plugin versions beyond 1.2 to mitigate the issue.
Details
- CWE(s)