CVE-2025-0916: 
WordPress vulnerability analysis and mitigation

The YaySMTP and Email Logs plugin for WordPress (versions 2.4.9 to 2.6.2) contains a Stored Cross-Site Scripting vulnerability. This plugin enables WordPress sites to send emails using various SMTP service providers including Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and other SMTP services. The vulnerability was disclosed on February 19, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping in the plugin. The issue was initially patched in version 2.4.8 through the implementation of the wpksespost() WordPress sanitization function, but was reintroduced in version 2.4.9 when this security measure was removed. This allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page (CVE Mitre).

The vulnerability allows unauthenticated attackers to inject malicious web scripts into pages. These scripts will execute whenever a user accesses the compromised page, potentially leading to account takeover, data theft, or other malicious actions depending on the injected code (NVD).

The vulnerability has been patched in version 2.6.3 of the YaySMTP plugin. Users are strongly advised to update to this latest version which fixes the XSS vulnerabilities in SMTP Sendinblue/Brevo, SMTP SendGrid, and SMTP Amazon SES implementations (WordPress Plugin).