CVE-2025-48301

Vulnerability

Overview

CVE-2025-48301 describes an improper neutralization of special elements used in an SQL command (SQL injection) vulnerability in the YayCommerce SMTP for SendGrid – YaySMTP plugin for WordPress. The issue affects versions through 1.5. The root cause is insufficient sanitization of user-supplied input before it is incorporated into SQL queries, enabling an attacker to inject malicious SQL code.

Attack

Vector

The vulnerability can be exploited by sending crafted HTTP requests to the WordPress installation running the vulnerable plugin. No authentication is required for exploitation, making the attack surface particularly broad. The attacker only needs to be able to communicate with the web server.

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary SQL commands against the WordPress database. This could lead to extraction of sensitive data such as user credentials, personal information, or other stored content, as well as potential modification or deletion of database records.

Mitigation

The vendor has released version 1.5.1, which addresses the vulnerability. Immediate update to this version or later is strongly recommended. Users who cannot update immediately should consider asking their hosting provider or web developer for assistance. According to the Patchstack advisory [1], the vulnerability is of high severity (CVSS 7.6) and may be used in mass-exploit campaigns [1].