Description
The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS that can execute arbitrary scripts whenever anyone views an injected email log page
Action: Patch
AI Analysis

Impact

The SMTP for Sendinblue – YaySMTP WordPress plugin (versions up to and including 1.2) harbors a stored cross‑site scripting flaw (CWE‑79). Inadequate input sanitization and output escaping enable an attacker to embed malicious JavaScript into the plugin’s email log entries. When any user opens a log page containing the injected script, the browser executes it, potentially stealing credentials, defacing the site, or redirecting the user to malicious content.

Affected Systems

WordPress sites that employ the SMTP for Sendinblue – YaySMTP plugin version 1.2 or earlier are affected. The product is sold by yaycommerce, and no additional operating system or server platform is implicated beyond the WordPress environment.

Risk and Exploitability

The flaw carries a CVSS score of 7.2, indicating high severity, while an EPSS score of under 1% implies a currently low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, but it is unauthenticated, meaning any visitor could inject scripts by abusing the plugin’s logging panel, and the stored nature of the XSS causes the risk to persist for all subsequent viewers of the contaminated page.

Generated by OpenCVE AI on April 22, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SMTP for Sendinblue – YaySMTP plugin to the latest release (≥ 1.3) where the stored‑XSS weakness is resolved.
  • If an upgrade cannot be performed immediately, restrict the email‑log view pages so that only administrators can access them, thereby blocking unauthenticated exploitation.
  • Implement a Web Application Firewall or server‑level rule that blocks or sanitizes script tags inserted into log content to mitigate the vulnerability until the plugin is updated.

Generated by OpenCVE AI on April 22, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4437 The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SMTP for Sendinblue – YaySMTP <= 1.1.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs SMTP for Sendinblue – YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs
References

Wed, 05 Mar 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Yaycommerce
Yaycommerce yaysmtp
CPEs cpe:2.3:a:yaycommerce:yaysmtp:*:*:*:*:*:wordpress:*:*
Vendors & Products Yaycommerce
Yaycommerce yaysmtp

Mon, 24 Feb 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 12:45:00 +0000

Type Values Removed Values Added
Description The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SMTP for Sendinblue – YaySMTP <= 1.1.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Yaycommerce Yaysmtp
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:26.158Z

Reserved: 2025-01-31T19:56:58.737Z

Link: CVE-2025-0953

cve-icon Vulnrichment

Updated: 2025-02-24T12:50:48.237Z

cve-icon NVD

Status : Modified

Published: 2025-02-22T13:15:11.850

Modified: 2026-04-08T19:22:49.200

Link: CVE-2025-0953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses