Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through <= 1.7.
Published: 2025-01-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑supplied input in Myriad Solutionz Stars SMTP Mailer allows an attacker to embed malicious scripts into a web page. This reflected XSS flaw falls under CWE‑79 and can enable execution of arbitrary JavaScript in the context of a victim’s browser, potentially leading to session hijacking, defacement, or further compromise of the site.

Affected Systems

The vulnerability affects the WordPress plugin Stars SMTP Mailer from all releases up through version 1.7. Any WordPress installation that has not upgraded beyond 1.7 is potentially exposed.

Risk and Exploitability

The CVSS score of 7.1 indicates a significant medium‑to‑high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. Attackers would most likely exploit the issue by sending a crafted request or linking a malicious URL that includes unsafe parameters handled by the plugin’s input fields.

Generated by OpenCVE AI on May 1, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Stars SMTP Mailer to the latest version available from the vendor that addresses the XSS flaw.
  • If an upgrade is not immediately possible, disable or remove the plugin from the WordPress instance to eliminate the vulnerability surface.
  • Apply a Web Application Firewall or similar input‑validation mechanism that filters or sanitizes URLs and user input to block potential XSS payloads.

Generated by OpenCVE AI on May 1, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3189 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through 1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through 1.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer stars-smtp-mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through <= 1.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 17 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Myriad Solutionz Stars SMTP Mailer allows Reflected XSS.This issue affects Stars SMTP Mailer: from n/a through 1.7.
Title WordPress Stars SMTP Mailer plugin <= 1.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Myriad Solutionz Stars Smtp Mailer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:09.651Z

Reserved: 2025-01-16T11:24:55.799Z

Link: CVE-2025-23453

cve-icon Vulnrichment

Updated: 2025-01-17T17:22:28.655Z

cve-icon NVD

Status : Deferred

Published: 2025-01-16T20:15:35.883

Modified: 2026-06-17T08:54:29.567

Link: CVE-2025-23453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T21:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')