CVE-2025-47587

The YaySMTP plugin for WordPress, versions 2.6.4 and earlier, contains a blind SQL injection vulnerability due to improper neutralization of special elements used in SQL commands. This flaw allows an attacker to inject malicious SQL queries through the plugin's input fields, bypassing intended restrictions [1].

Exploitation does not require authentication, making it accessible to any remote attacker. The vulnerability is a blind SQL injection, meaning an attacker can infer information from the database by observing the application's responses. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Successful exploitation enables an attacker to directly interact with the WordPress database, potentially extracting sensitive information such as user credentials, email addresses, and other stored data. The CVSS score of 7.6 (High) reflects the significant risk posed by this vulnerability [1].

The vendor has addressed the issue in version 2.6.5. Users are strongly advised to update the plugin immediately. For those unable to update, consulting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].