High severity7.2NVD Advisory· Published Feb 19, 2025· Updated Jun 17, 2026
CVE-2025-0916
CVE-2025-0916
Description
The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- yaycommerce/YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Servicev5Range: 2.4.9
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/changeset/3238172nvdPatch
- www.wordfence.com/threat-intel/vulnerabilities/id/209019bd-b214-4389-a972-42e38d501203nvdThird Party Advisory
- plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Functions.phpnvdProduct
- plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Helper/Utils.phpnvdProduct
- wordpress.org/plugins/yaysmtp/nvdProductRelease Notes
News mentions
0No linked articles in our index yet.