Search

Find a vulnerability

Search criteria

    22 vulnerabilities found for yaysmtp by yaycommerce

    CVE-2025-48161 (GCVE-0-2025-48161)

    Vulnerability from nvd – Published: 2025-07-16 10:36 – Updated: 2026-05-12 00:30
    VLAI
    Title
    WordPress YaySMTP plugin <= 1.3 - SQL Injection Vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through <= 1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YayCommerce YaySMTP Affected: 0 , ≤ 1.3 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    Lê Quốc Bảo | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-16T19:00:07.445981Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T00:30:16.119Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "smtp-sendinblue",
              "product": "YaySMTP",
              "vendor": "YayCommerce",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.3.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "L\u00ea Qu\u1ed1c B\u1ea3o | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:31.840Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.\u003cp\u003eThis issue affects YaySMTP: from n/a through \u003c= 1.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through \u003c= 1.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:53.016Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/smtp-sendinblue/vulnerability/wordpress-yaysmtp-plugin-1-3-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress YaySMTP plugin \u003c= 1.3 - SQL Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-48161",
        "datePublished": "2025-07-16T10:36:56.225Z",
        "dateReserved": "2025-05-15T18:02:03.512Z",
        "dateUpdated": "2026-05-12T00:30:16.119Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53256 (GCVE-0-2025-53256)

    Vulnerability from nvd – Published: 2025-06-27 13:21 – Updated: 2026-04-28 16:13
    VLAI
    Title
    WordPress YaySMTP plugin <= 2.6.6 - SQL Injection Vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YayCommerce YaySMTP Affected: 0 , ≤ 2.6.6 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:41
    Credits
    Nguyen Kim Sang (HPT Vietnam) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53256",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T14:36:26.223579Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T14:45:33.941Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "yaysmtp",
              "product": "YaySMTP",
              "vendor": "YayCommerce",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.6.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.6.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Kim Sang (HPT Vietnam) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:41:47.969Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.\u003cp\u003eThis issue affects YaySMTP: from n/a through \u003c= 2.6.6.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.This issue affects YaySMTP: from n/a through \u003c= 2.6.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:13:21.991Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/yaysmtp/vulnerability/wordpress-yaysmtp-plugin-6-8-1-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress YaySMTP plugin \u003c= 2.6.6 - SQL Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-53256",
        "datePublished": "2025-06-27T13:21:05.082Z",
        "dateReserved": "2025-06-27T11:58:24.740Z",
        "dateUpdated": "2026-04-28T16:13:21.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47587 (GCVE-0-2025-47587)

    Vulnerability from nvd – Published: 2025-05-07 14:20 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress YaySMTP plugin <= 2.6.4 - SQL Injection Vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YayCommerce YaySMTP Affected: 0 , ≤ 2.6.4 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    ChuongVN | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47587",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-07T17:20:08.273543Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-07T18:15:28.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "yaysmtp",
              "product": "YaySMTP",
              "vendor": "YayCommerce",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.6.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.6.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ChuongVN | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:13.022Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.\u003cp\u003eThis issue affects YaySMTP: from n/a through \u003c= 2.6.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.This issue affects YaySMTP: from n/a through \u003c= 2.6.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:46.186Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/yaysmtp/vulnerability/wordpress-yaysmtp-2-6-4-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress YaySMTP plugin \u003c= 2.6.4 - SQL Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-47587",
        "datePublished": "2025-05-07T14:20:21.213Z",
        "dateReserved": "2025-05-07T10:44:15.221Z",
        "dateUpdated": "2026-04-28T16:12:46.186Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0953 (GCVE-0-2025-0953)

    Vulnerability from nvd – Published: 2025-02-22 12:39 – Updated: 2026-06-04 14:46
    VLAI
    Title
    SMTP for Sendinblue – YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs
    Summary
    The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    yaycommerce SMTP for Sendinblue – YaySMTP Affected: 0 , ≤ 1.2 (semver)
    Create a notification for this product.
    Credits
    Cristian Bejan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0953",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-24T12:50:38.670042Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T14:46:09.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SMTP for Sendinblue \u2013 YaySMTP",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Cristian Bejan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SMTP for Sendinblue \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:30:26.158Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ba65ac-e568-4c13-961d-6453f281d9fc?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/smtp-sendinblue/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Helper/Utils.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Functions.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3270561/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "SMTP for Sendinblue \u2013 YaySMTP \u003c= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0953",
        "datePublished": "2025-02-22T12:39:21.934Z",
        "dateReserved": "2025-01-31T19:56:58.737Z",
        "dateUpdated": "2026-06-04T14:46:09.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0918 (GCVE-0-2025-0918)

    Vulnerability from nvd – Published: 2025-02-22 12:39 – Updated: 2026-06-04 14:45
    VLAI
    Title
    SMTP for SendGrid – YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs
    Summary
    The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    yaycommerce SMTP for SendGrid – YaySMTP Affected: 0 , ≤ 1.4 (semver)
    Create a notification for this product.
    Credits
    Cristian Bejan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0918",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-24T12:51:34.639779Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T14:45:40.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SMTP for SendGrid \u2013 YaySMTP",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "1.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Cristian Bejan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SMTP for SendGrid \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:18:05.508Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b98f2a85-9535-4bf5-900c-f4f630c7b502?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/smtp-sendgrid/trunk/includes/Functions.php"
            },
            {
              "url": "https://wordpress.org/plugins/smtp-sendgrid/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3270556/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "SMTP for SendGrid \u2013 YaySMTP \u003c= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0918",
        "datePublished": "2025-02-22T12:39:21.418Z",
        "dateReserved": "2025-01-31T00:06:27.898Z",
        "dateUpdated": "2026-06-04T14:45:40.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0916 (GCVE-0-2025-0916)

    Vulnerability from nvd – Published: 2025-02-19 11:10 – Updated: 2025-02-19 14:19
    VLAI
    Title
    YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting
    Summary
    The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Credits
    D.Sim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0916",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-19T14:19:22.006052Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-19T14:19:33.083Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "2.4.9",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "D.Sim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-19T11:10:38.414Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/209019bd-b214-4389-a972-42e38d501203?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Helper/Utils.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Functions.php"
            },
            {
              "url": "https://wordpress.org/plugins/yaysmtp/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3238172"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-18T22:01:38.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0916",
        "datePublished": "2025-02-19T11:10:38.414Z",
        "dateReserved": "2025-01-30T23:47:51.507Z",
        "dateUpdated": "2025-02-19T14:19:33.083Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3093 (GCVE-0-2023-3093)

    Vulnerability from nvd – Published: 2023-07-12 04:38 – Updated: 2026-04-08 16:58
    VLAI
    Title
    YaySMTP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email
    Summary
    The YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Credits
    Alex Thomas
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:48:07.059Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2922163/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-05T18:38:26.529816Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-05T19:41:05.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "2.4.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Thomas"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:58:33.201Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2922163/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-06-03T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-06-05T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-06-12T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "YaySMTP \u003c= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-3093",
        "datePublished": "2023-07-12T04:38:45.199Z",
        "dateReserved": "2023-06-04T03:17:14.839Z",
        "dateUpdated": "2026-04-08T16:58:33.201Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2372 (GCVE-0-2022-2372)

    Vulnerability from nvd – Published: 2022-08-08 13:47 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting
    Summary
    The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown YaySMTP – Simple WP SMTP Mail Affected: 2.2.2 , < 2.2.2 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.568Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "YaySMTP \u2013 Simple WP SMTP Mail",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.2",
                  "status": "affected",
                  "version": "2.2.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-08T13:47:54.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.2 - Admin+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2372",
              "STATE": "PUBLIC",
              "TITLE": "YaySMTP \u003c 2.2.2 - Admin+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "YaySMTP \u2013 Simple WP SMTP Mail",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.2",
                                "version_value": "2.2.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Rafshanzani Suhada"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2372",
        "datePublished": "2022-08-08T13:47:54.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2371 (GCVE-0-2022-2371)

    Vulnerability from nvd – Published: 2022-08-08 13:47 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
    Summary
    The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown YaySMTP – Simple WP SMTP Mail Affected: 2.2.1 , < 2.2.1 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.561Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "YaySMTP \u2013 Simple WP SMTP Mail",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-08T13:47:39.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.1 - Subscriber+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2371",
              "STATE": "PUBLIC",
              "TITLE": "YaySMTP \u003c 2.2.1 - Subscriber+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "YaySMTP \u2013 Simple WP SMTP Mail",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.1",
                                "version_value": "2.2.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Rafshanzani Suhada"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2371",
        "datePublished": "2022-08-08T13:47:39.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2370 (GCVE-0-2022-2370)

    Vulnerability from nvd – Published: 2022-08-01 12:52 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
    Summary
    The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/bedda2a9-6c52-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown YaySMTP Affected: 0 , < 2.2.1 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.695Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "YaySMTP",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-04T08:50:23.489Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.1 - Subscriber+ SMTP Credentials Leak",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2370",
        "datePublished": "2022-08-01T12:52:51.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2369 (GCVE-0-2022-2369)

    Vulnerability from nvd – Published: 2022-08-01 12:52 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure
    Summary
    The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown YaySMTP – Simple WP SMTP Mail Affected: 2.2.1 , < 2.2.1 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "YaySMTP \u2013 Simple WP SMTP Mail",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:52:42.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.1 - Subscriber+ Logs Disclosure",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2369",
              "STATE": "PUBLIC",
              "TITLE": "YaySMTP \u003c 2.2.1 - Subscriber+ Logs Disclosure"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "YaySMTP \u2013 Simple WP SMTP Mail",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.1",
                                "version_value": "2.2.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Rafshanzani Suhada"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2369",
        "datePublished": "2022-08-01T12:52:42.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.470Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48161 (GCVE-0-2025-48161)

    Vulnerability from cvelistv5 – Published: 2025-07-16 10:36 – Updated: 2026-05-12 00:30
    VLAI
    Title
    WordPress YaySMTP plugin <= 1.3 - SQL Injection Vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through <= 1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YayCommerce YaySMTP Affected: 0 , ≤ 1.3 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    Lê Quốc Bảo | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48161",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-07-16T19:00:07.445981Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T00:30:16.119Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "smtp-sendinblue",
              "product": "YaySMTP",
              "vendor": "YayCommerce",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.3.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "L\u00ea Qu\u1ed1c B\u1ea3o | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:31.840Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.\u003cp\u003eThis issue affects YaySMTP: from n/a through \u003c= 1.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through \u003c= 1.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:53.016Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/smtp-sendinblue/vulnerability/wordpress-yaysmtp-plugin-1-3-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress YaySMTP plugin \u003c= 1.3 - SQL Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-48161",
        "datePublished": "2025-07-16T10:36:56.225Z",
        "dateReserved": "2025-05-15T18:02:03.512Z",
        "dateUpdated": "2026-05-12T00:30:16.119Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53256 (GCVE-0-2025-53256)

    Vulnerability from cvelistv5 – Published: 2025-06-27 13:21 – Updated: 2026-04-28 16:13
    VLAI
    Title
    WordPress YaySMTP plugin <= 2.6.6 - SQL Injection Vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YayCommerce YaySMTP Affected: 0 , ≤ 2.6.6 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:41
    Credits
    Nguyen Kim Sang (HPT Vietnam) | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53256",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T14:36:26.223579Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T14:45:33.941Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "yaysmtp",
              "product": "YaySMTP",
              "vendor": "YayCommerce",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.6.7",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.6.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Kim Sang (HPT Vietnam) | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:41:47.969Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.\u003cp\u003eThis issue affects YaySMTP: from n/a through \u003c= 2.6.6.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows SQL Injection.This issue affects YaySMTP: from n/a through \u003c= 2.6.6."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-66",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:13:21.991Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/yaysmtp/vulnerability/wordpress-yaysmtp-plugin-6-8-1-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress YaySMTP plugin \u003c= 2.6.6 - SQL Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-53256",
        "datePublished": "2025-06-27T13:21:05.082Z",
        "dateReserved": "2025-06-27T11:58:24.740Z",
        "dateUpdated": "2026-04-28T16:13:21.991Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47587 (GCVE-0-2025-47587)

    Vulnerability from cvelistv5 – Published: 2025-05-07 14:20 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress YaySMTP plugin <= 2.6.4 - SQL Injection Vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.This issue affects YaySMTP: from n/a through <= 2.6.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    YayCommerce YaySMTP Affected: 0 , ≤ 2.6.4 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    ChuongVN | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47587",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-07T17:20:08.273543Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-07T18:15:28.579Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "yaysmtp",
              "product": "YaySMTP",
              "vendor": "YayCommerce",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "2.6.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "2.6.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "ChuongVN | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:40:13.022Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.\u003cp\u003eThis issue affects YaySMTP: from n/a through \u003c= 2.6.4.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YayCommerce YaySMTP yaysmtp allows Blind SQL Injection.This issue affects YaySMTP: from n/a through \u003c= 2.6.4."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:12:46.186Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/yaysmtp/vulnerability/wordpress-yaysmtp-2-6-4-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress YaySMTP plugin \u003c= 2.6.4 - SQL Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-47587",
        "datePublished": "2025-05-07T14:20:21.213Z",
        "dateReserved": "2025-05-07T10:44:15.221Z",
        "dateUpdated": "2026-04-28T16:12:46.186Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0953 (GCVE-0-2025-0953)

    Vulnerability from cvelistv5 – Published: 2025-02-22 12:39 – Updated: 2026-06-04 14:46
    VLAI
    Title
    SMTP for Sendinblue – YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs
    Summary
    The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    yaycommerce SMTP for Sendinblue – YaySMTP Affected: 0 , ≤ 1.2 (semver)
    Create a notification for this product.
    Credits
    Cristian Bejan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0953",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-24T12:50:38.670042Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T14:46:09.590Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SMTP for Sendinblue \u2013 YaySMTP",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Cristian Bejan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SMTP for Sendinblue \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:30:26.158Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ba65ac-e568-4c13-961d-6453f281d9fc?source=cve"
            },
            {
              "url": "https://wordpress.org/plugins/smtp-sendinblue/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Helper/Utils.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Functions.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3270561/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "SMTP for Sendinblue \u2013 YaySMTP \u003c= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0953",
        "datePublished": "2025-02-22T12:39:21.934Z",
        "dateReserved": "2025-01-31T19:56:58.737Z",
        "dateUpdated": "2026-06-04T14:46:09.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0918 (GCVE-0-2025-0918)

    Vulnerability from cvelistv5 – Published: 2025-02-22 12:39 – Updated: 2026-06-04 14:45
    VLAI
    Title
    SMTP for SendGrid – YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs
    Summary
    The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    yaycommerce SMTP for SendGrid – YaySMTP Affected: 0 , ≤ 1.4 (semver)
    Create a notification for this product.
    Credits
    Cristian Bejan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0918",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-24T12:51:34.639779Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T14:45:40.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SMTP for SendGrid \u2013 YaySMTP",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "1.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Cristian Bejan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The SMTP for SendGrid \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:18:05.508Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b98f2a85-9535-4bf5-900c-f4f630c7b502?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/smtp-sendgrid/trunk/includes/Functions.php"
            },
            {
              "url": "https://wordpress.org/plugins/smtp-sendgrid/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3270556/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-01-31T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-02-22T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "SMTP for SendGrid \u2013 YaySMTP \u003c= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0918",
        "datePublished": "2025-02-22T12:39:21.418Z",
        "dateReserved": "2025-01-31T00:06:27.898Z",
        "dateUpdated": "2026-06-04T14:45:40.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0916 (GCVE-0-2025-0916)

    Vulnerability from cvelistv5 – Published: 2025-02-19 11:10 – Updated: 2025-02-19 14:19
    VLAI
    Title
    YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting
    Summary
    The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Credits
    D.Sim
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0916",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-19T14:19:22.006052Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-19T14:19:33.083Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "2.6.2",
                  "status": "affected",
                  "version": "2.4.9",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "D.Sim"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: The vulnerability has been initially patched in version 2.4.8 and was reintroduced in version 2.4.9 with the removal of the wp_kses_post() built-in WordPress sanitization function."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-02-19T11:10:38.414Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/209019bd-b214-4389-a972-42e38d501203?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Helper/Utils.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/yaysmtp/trunk/includes/Functions.php"
            },
            {
              "url": "https://wordpress.org/plugins/yaysmtp/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3238172"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-18T22:01:38.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-0916",
        "datePublished": "2025-02-19T11:10:38.414Z",
        "dateReserved": "2025-01-30T23:47:51.507Z",
        "dateUpdated": "2025-02-19T14:19:33.083Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3093 (GCVE-0-2023-3093)

    Vulnerability from cvelistv5 – Published: 2023-07-12 04:38 – Updated: 2026-04-08 16:58
    VLAI
    Title
    YaySMTP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email
    Summary
    The YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Credits
    Alex Thomas
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:48:07.059Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/2922163/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3093",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-05T18:38:26.529816Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-05T19:41:05.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service",
              "vendor": "yaycommerce",
              "versions": [
                {
                  "lessThanOrEqual": "2.4.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Thomas"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:58:33.201Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/68e6ec3a-c5fd-4f63-a9a0-2c9ddfb96e2e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/2922163/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-06-03T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2023-06-05T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2023-06-12T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "YaySMTP \u003c= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-3093",
        "datePublished": "2023-07-12T04:38:45.199Z",
        "dateReserved": "2023-06-04T03:17:14.839Z",
        "dateUpdated": "2026-04-08T16:58:33.201Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-2372 (GCVE-0-2022-2372)

    Vulnerability from cvelistv5 – Published: 2022-08-08 13:47 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting
    Summary
    The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown YaySMTP – Simple WP SMTP Mail Affected: 2.2.2 , < 2.2.2 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.568Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "YaySMTP \u2013 Simple WP SMTP Mail",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.2",
                  "status": "affected",
                  "version": "2.2.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-08T13:47:54.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.2 - Admin+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2372",
              "STATE": "PUBLIC",
              "TITLE": "YaySMTP \u003c 2.2.2 - Admin+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "YaySMTP \u2013 Simple WP SMTP Mail",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.2",
                                "version_value": "2.2.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Rafshanzani Suhada"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The YaySMTP WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/941fadb6-0009-4751-b979-88e87ebb1e45"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2372",
        "datePublished": "2022-08-08T13:47:54.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2371 (GCVE-0-2022-2371)

    Vulnerability from cvelistv5 – Published: 2022-08-08 13:47 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting
    Summary
    The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well.
    Severity
    No CVSS data available.
    CWE
    • CWE-79 - Cross-Site Scripting (XSS)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown YaySMTP – Simple WP SMTP Mail Affected: 2.2.1 , < 2.2.1 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.561Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "YaySMTP \u2013 Simple WP SMTP Mail",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-08T13:47:39.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.1 - Subscriber+ Stored Cross-Site Scripting",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2371",
              "STATE": "PUBLIC",
              "TITLE": "YaySMTP \u003c 2.2.1 - Subscriber+ Stored Cross-Site Scripting"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "YaySMTP \u2013 Simple WP SMTP Mail",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.1",
                                "version_value": "2.2.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Rafshanzani Suhada"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-79 Cross-Site Scripting (XSS)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/31405f1e-fc07-43f5-afc1-9cfbaf6911b7"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2371",
        "datePublished": "2022-08-08T13:47:39.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2370 (GCVE-0-2022-2370)

    Vulnerability from cvelistv5 – Published: 2022-08-01 12:52 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
    Summary
    The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/bedda2a9-6c52-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown YaySMTP Affected: 0 , < 2.2.1 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.695Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "YaySMTP",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Rafshanzani Suhada"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-04T08:50:23.489Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/bedda2a9-6c52-478e-b17a-7a4488419334"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.1 - Subscriber+ SMTP Credentials Leak",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2370",
        "datePublished": "2022-08-01T12:52:51.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.695Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2369 (GCVE-0-2022-2369)

    Vulnerability from cvelistv5 – Published: 2022-08-01 12:52 – Updated: 2024-08-03 00:32
    VLAI
    Title
    YaySMTP < 2.2.1 - Subscriber+ Logs Disclosure
    Summary
    The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown YaySMTP – Simple WP SMTP Mail Affected: 2.2.1 , < 2.2.1 (custom)
    Create a notification for this product.
    Credits
    Rafshanzani Suhada
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:32:09.470Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "YaySMTP \u2013 Simple WP SMTP Mail",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.2.1",
                  "status": "affected",
                  "version": "2.2.1",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Rafshanzani Suhada"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-08-01T12:52:42.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "YaySMTP \u003c 2.2.1 - Subscriber+ Logs Disclosure",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-2369",
              "STATE": "PUBLIC",
              "TITLE": "YaySMTP \u003c 2.2.1 - Subscriber+ Logs Disclosure"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "YaySMTP \u2013 Simple WP SMTP Mail",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "2.2.1",
                                "version_value": "2.2.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Rafshanzani Suhada"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-862 Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/9ec8d318-9d25-4868-94c6-7c16444c275d"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2369",
        "datePublished": "2022-08-01T12:52:42.000Z",
        "dateReserved": "2022-07-11T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:32:09.470Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }