CVE-2025-0957
Published: 22 February 2025
Description
The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Security Summary
CVE-2025-0957 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the SMTP for Amazon SES – YaySMTP plugin for WordPress in versions up to and including 1.7.1. The flaw stems from insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts into pages. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, no privileges or user interaction required, and changed scope with low confidentiality and integrity impacts.
Unauthenticated attackers can exploit this vulnerability remotely by injecting malicious scripts through the plugin's affected components. Once injected, the scripts persist in the pages and execute in the browsers of any users who access those pages, potentially leading to session hijacking, data theft, or further site compromise depending on the victim's privileges.
Advisories and references, including Wordfence threat intelligence and WordPress plugin trac repositories, highlight affected code in Functions.php and Utils.php, with changeset 3270161 indicating a patch application. Security practitioners should update to a version beyond 1.7.1 and review the plugin's developer page for remediation details.
Details
- CWE(s)