CVE-2025-53256

Vulnerability

Overview

CVE-2025-53256 is a SQL injection vulnerability in the YaySMTP plugin for WordPress, affecting versions up to and including 2.6.6. The issue stems from improper neutralization of special elements used in an SQL command, allowing an attacker to inject malicious SQL queries through unsanitized input fields.

Exploitation

This vulnerability can be exploited by sending specially crafted requests to the affected plugin, potentially without requiring authentication. The security advisory from Patchstack indicates that such vulnerabilities are actively used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow a malicious actor to directly interact with the WordPress database, leading to data theft, modification, or deletion. The CVSS score of 7.6 (High) reflects the ease of exploitation and potential for significant information disclosure.

Mitigation

The vulnerability has been patched in version 2.6.7. Users are strongly advised to update the YaySMTP plugin to this latest version immediately. For those unable to update, contacting the hosting provider or web developer for assistance is recommended [1].