Description
The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting on user browsers
Action: Patch Immediately
AI Analysis

Impact

The SMTP for Amazon SES – YaySMTP plugin for WordPress contains a stored cross‑site scripting flaw that allows an attacker to inject JavaScript into email‑logging pages. The vulnerable code stores unsanitized input and later displays it without proper escaping, giving the attacker the ability to run arbitrary client‑side scripts whenever a user views the affected page. The flaw grants the attacker the same level of compromised user session as a typical XSS, with potential to steal cookies, perform phishing, or hijack user actions on the site.

Affected Systems

WordPress sites that have the YaySMTP plugin version 1.7.1 or earlier installed are affected. The vulnerability is specific to the plugin’s email‑logging feature and does not impact WordPress core or other plugins.

Risk and Exploitability

The CVSS score of 7.2 indicates a high level of severity. The EPSS score of less than 1% suggests that exploitation is unlikely but still possible. The flaw is not yet listed in the CISA KEV catalog. Attackers would need to send crafted emails that are logged by the plugin and then trigger the log page for an authenticated user to suffer XSS. Because the vulnerability is unauthenticated, any user who can access the email‑log page could be targeted.

Generated by OpenCVE AI on April 22, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SMTP for Amazon SES – YaySMTP plugin to version 1.8 or later, which includes input sanitization and output escaping.
  • If an update is not possible, disable the plugin’s email‑logging feature to prevent the vulnerability from being triggered.
  • Restrict access to the email‑logging page and implement a Web Application Firewall rule to filter out common XSS payloads.

Generated by OpenCVE AI on April 22, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4436 The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Title Vulnerability: SMTP for Amazon SES <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs Vulnerability: SMTP for Amazon SES <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs
References

Mon, 24 Feb 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Vulnerability: SMTP for Amazon SES <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-04T14:46:41.519Z

Reserved: 2025-01-31T20:34:34.838Z

Link: CVE-2025-0957

cve-icon Vulnrichment

Updated: 2025-02-24T12:48:04.430Z

cve-icon NVD

Status : Deferred

Published: 2025-02-22T14:15:29.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')