Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.4.
Published: 2025-05-07
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a blind SQL injection flaw in the YaySMTP WordPress plugin, identified as CWE-89. User supplied data is concatenated directly into SQL statements without proper sanitization or parameterization, allowing attackers to inject arbitrary SQL commands. Successful exploitation could read, modify, or delete sensitive data stored in the WordPress database, compromising confidentiality and integrity.

Affected Systems

The YaySMTP plugin released by YayCommerce for WordPress is affected from the earliest available build through version 2.6.4. Any WordPress site running one of these plugin versions is vulnerable.

Risk and Exploitability

The CVSS score of 7.6 signifies a high severity vulnerability, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers could target the plugin’s web interfaces or REST API endpoints to trigger the blind injection, and the description does not mention any privilege escalation requirements, so it is unclear whether elevated privileges are needed.

Generated by OpenCVE AI on May 2, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the YaySMTP plugin to the latest release that contains the SQL injection fix.
  • If an upgrade is not immediately possible, deactivate or uninstall the plugin to remove the vulnerable code.
  • Apply input validation and use prepared statements for database queries, or deploy a web application firewall to block suspicious SQL patterns and limit REST API access to trusted users.

Generated by OpenCVE AI on May 2, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13784 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows Blind SQL Injection. This issue affects YaySMTP: from n/a through 2.6.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows Blind SQL Injection. This issue affects YaySMTP: from n/a through 2.6.4. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.4.
Title WordPress YaySMTP <= 2.6.4 - SQL Injection Vulnerability WordPress YaySMTP plugin <= 2.6.4 - SQL Injection Vulnerability
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00039}

 epss

{'score': 0.00041}

Wed, 07 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows Blind SQL Injection. This issue affects YaySMTP: from n/a through 2.6.4.
Title WordPress YaySMTP <= 2.6.4 - SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Yaycommerce Yaysmtp
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:46.186Z

Reserved: 2025-05-07T10:44:15.221Z

Link: CVE-2025-47587

cve-icon Vulnrichment

Updated: 2025-05-07T17:20:09.537Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:12.187

Modified: 2026-04-23T15:30:33.033

Link: CVE-2025-47587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:45:26Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')