CVE-2025-3434: 
WordPress vulnerability analysis and mitigation

The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via Email Logs in versions up to and including 1.8. The vulnerability was discovered and disclosed on April 11, 2025, and has been assigned identifier CVE-2025-3434. This security issue affects WordPress installations using the YaySMTP plugin for Amazon SES email functionality (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's email logging functionality. This allows unauthenticated attackers to inject arbitrary web scripts that execute whenever a user accesses an injected page. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility with low attack complexity and no privileges required (NVD CVE).

The vulnerability allows attackers to inject malicious web scripts that execute in users' browsers when viewing the affected pages. This could lead to unauthorized access to sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' sessions (NVD CVE).

The vulnerability has been patched in version 1.9 of the SMTP for Amazon SES – YaySMTP plugin, released on April 10, 2025. Users are strongly advised to update to this latest version which includes fixes for the XSS vulnerability with special characters (WordPress Plugin).