CVE-2025-0916
📋 TL;DR
This vulnerability allows unauthenticated attackers to inject malicious scripts into WordPress pages using the YaySMTP plugin. When users visit compromised pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. WordPress sites running vulnerable plugin versions 2.4.9 to 2.6.2 are affected.
💻 Affected Systems
- YaySMTP and Email Logs WordPress plugin
📦 What is this software?
Yaysmtp by Yaycommerce
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over the WordPress site, install backdoors, or redirect visitors to malicious sites, leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious scripts to steal user session cookies, perform actions as logged-in users, or deface website content.
If Mitigated
With proper input validation and output escaping, script injection is prevented, limiting impact to minor data exposure if other vulnerabilities exist.
🎯 Exploit Status
Exploitation requires finding vulnerable input fields and crafting XSS payloads, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.3 or later
Vendor Advisory: https://wordpress.org/plugins/yaysmtp/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find YaySMTP plugin. 4. Click 'Update Now' if available, or manually update to version 2.6.3+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
WordPressTemporarily deactivate YaySMTP plugin until patched version is available.
wp plugin deactivate yaysmtp
Enable WordPress auto-updates
WordPressConfigure WordPress to automatically update plugins when security patches are released.
wp plugin auto-updates enable yaysmtp
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Restrict plugin access to trusted IP addresses only using .htaccess or server configuration.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > YaySMTP > Version. If version is between 2.4.9 and 2.6.2 inclusive, the site is vulnerable.Check Version:
wp plugin get yaysmtp --field=versionVerify Fix Applied:
After updating, confirm YaySMTP plugin version is 2.6.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to YaySMTP endpoints containing script tags or JavaScript code
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Inbound requests with malicious payloads targeting /wp-content/plugins/yaysmtp/ paths
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/yaysmtp/" AND (body="<script>" OR body="javascript:"))🔗 References
- https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Functions.php
- https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Helper/Utils.php
- https://plugins.trac.wordpress.org/changeset/3238172
- https://wordpress.org/plugins/yaysmtp/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/209019bd-b214-4389-a972-42e38d501203?source=cve
