CVE-2025-1319

CVE-2025-1319, published on 2025-02-28, is a Stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress. It affects all versions up to and including 1.2.3 due to insufficient input sanitization and output escaping. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity with network accessibility, low attack complexity, no privileges or user interaction required, and changed scope.

Unauthenticated attackers can exploit this vulnerability remotely by injecting arbitrary web scripts through the plugin, which are then stored and executed in the context of affected pages whenever any user accesses them. This allows potential theft of session cookies, deflection of users to malicious sites, or other client-side attacks, resulting in low impacts to confidentiality and integrity.

Advisories and patch details are provided in references including WordPress plugin trac changeset 3247059, the plugin's developers page on WordPress.org, and Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c9fe3574-f338-474c-af78-f843501d422c?source=cve. Security practitioners should review these for specific mitigation steps, such as applying the patch or updating the plugin.