CVE-2025-48161
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through <= 1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in YaySMTP WordPress plugin (<=1.3) allows unauthenticated attackers to execute arbitrary SQL commands.
Vulnerability
Overview
The YaySMTP plugin for WordPress, specifically the smtp-sendinblue component, contains an SQL injection vulnerability due to improper neutralization of special elements used in an SQL command. This flaw affects all versions up to and including 1.3 [1].
Exploitation
Attackers can exploit this vulnerability by sending crafted input to the plugin's functionality, potentially without requiring authentication. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].
Impact
Successful exploitation allows an attacker to directly interact with the underlying database. This can lead to unauthorized access to sensitive information, data exfiltration, or modification of database contents [1].
Mitigation
The issue has been addressed in version 1.3.1 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer is recommended [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.