{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0953", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-01-31T19:56:58.737Z", "datePublished": "2025-02-22T12:39:21.934Z", "dateUpdated": "2026-04-08T17:30:26.158Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:26.158Z"}, "affected": [{"vendor": "yaycommerce", "product": "SMTP for Sendinblue \u2013 YaySMTP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The SMTP for Sendinblue \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "SMTP for Sendinblue \u2013 YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ba65ac-e568-4c13-961d-6453f281d9fc?source=cve"}, {"url": "https://wordpress.org/plugins/smtp-sendinblue/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Helper/Utils.php"}, {"url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Functions.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3270561/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Cristian Bejan"}], "timeline": [{"time": "2025-01-31T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-01-31T00:00:00.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-02-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-24T12:50:38.670042Z", "id": "CVE-2025-0953", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-24T12:50:51.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-0953", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-24T12:50:38.670042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-24T12:50:48.237Z"}}], "cna": {"title": "SMTP for Sendinblue \u2013 YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs", "credits": [{"lang": "en", "type": "finder", "value": "Cristian Bejan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "yaycommerce", "product": "SMTP for Sendinblue \u2013 YaySMTP", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-01-31T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-01-31T00:00:00.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-02-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ba65ac-e568-4c13-961d-6453f281d9fc?source=cve"}, {"url": "https://wordpress.org/plugins/smtp-sendinblue/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Helper/Utils.php"}, {"url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Functions.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3270561/"}], "descriptions": [{"lang": "en", "value": "The SMTP for Sendinblue \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:26.158Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0953", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:26.158Z", "dateReserved": "2025-01-31T19:56:58.737Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-22T12:39:21.934Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yaycommerce:yaysmtp:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "95B58D8D-E4C5-41FD-9332-B0DDBB3DD4DF", "versionEndExcluding": "1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The SMTP for Sendinblue \u2013 YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento SMTP para Sendinblue \u2013 YaySMTP para WordPress es vulnerable a Cross-Site Scripting almacenado en versiones hasta la 1.1.1 incluida debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2025-0953", "lastModified": "2026-04-08T19:22:49.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-02-22T13:15:11.850", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Functions.php"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/smtp-sendinblue/trunk/includes/Helper/Utils.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3270561/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/smtp-sendinblue/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e7ba65ac-e568-4c13-961d-6453f281d9fc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T02:06:30.358794+00:00", "value": {"mitigation_remediation": ["Upgrade the SMTP for Sendinblue \u2013 YaySMTP plugin to the latest release (\u2265\u202f1.3) where the stored\u2011XSS weakness is resolved.", "If an upgrade cannot be performed immediately, restrict the email\u2011log view pages so that only administrators can access them, thereby blocking unauthenticated exploitation.", "Implement a Web Application Firewall or server\u2011level rule that blocks or sanitizes script tags inserted into log content to mitigate the vulnerability until the plugin is updated."], "summary": {"action": "Patch", "impact": "Stored XSS that can execute arbitrary scripts whenever anyone views an injected email log page"}, "threat_synthesis": {"affected_systems": "WordPress sites that employ the SMTP for Sendinblue \u2013 YaySMTP plugin version 1.2 or earlier are affected. The product is sold by yaycommerce, and no additional operating system or server platform is implicated beyond the WordPress environment.", "description_and_impact": "The SMTP for Sendinblue \u2013 YaySMTP WordPress plugin (versions up to and including 1.2) harbors a stored cross\u2011site scripting flaw (CWE\u201179). Inadequate input sanitization and output escaping enable an attacker to embed malicious JavaScript into the plugin\u2019s email log entries. When any user opens a log page containing the injected script, the browser executes it, potentially stealing credentials, defacing the site, or redirecting the user to malicious content.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.2, indicating high severity, while an EPSS score of under 1% implies a currently low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, but it is unauthenticated, meaning any visitor could inject scripts by abusing the plugin\u2019s logging panel, and the stored nature of the XSS causes the risk to persist for all subsequent viewers of the contaminated page."}}}}, "created": "2026-04-22T02:15:05.411711+00:00", "updated": "2026-04-22T02:15:05.411721+00:00", "vendors": []}