CVE-2025-0916 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the YaySMTP and Email Logs WordPress plugin versions 2.4.9 through 2.6.2. The vulnerability stems from improper neutralization of input during web page generation, specifically due to the removal of the wp_kses_post() sanitization function in version 2.4.9, which had previously mitigated this issue in version 2.4.8. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. The plugin integrates with multiple SMTP services including Amazon SES, SendGrid, Outlook, Mailgun, Brevo, and Google, making it widely used in WordPress environments that handle email delivery and logging. The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score of 7.2 reflects a high-severity rating due to the ease of exploitation and the potential impact on confidentiality and integrity, although availability is not affected. No public exploit code or active exploitation has been reported yet, but the reintroduction of the vulnerability after a prior fix suggests potential oversight in secure coding practices. Organizations using affected plugin versions should urgently review and update to patched versions once available or apply alternative mitigations to prevent script injection.

The impact of CVE-2025-0916 is significant for organizations using the affected YaySMTP and Email Logs plugin versions. Successful exploitation can lead to stored XSS attacks, allowing attackers to execute arbitrary scripts in the context of authenticated users’ browsers. This can result in theft of sensitive information such as session cookies, credentials, or personally identifiable information, leading to account compromise and unauthorized access. Attackers may also perform actions on behalf of users, potentially modifying email logs or configurations, which could disrupt email delivery or facilitate further attacks such as phishing. The vulnerability affects confidentiality and integrity but does not impact availability directly. Given the plugin’s integration with major SMTP services, organizations relying on these email infrastructures for critical communications, including e-commerce, customer notifications, and internal alerts, face increased risk of data breaches and operational disruption. The lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat surface. Although no known exploits are currently active in the wild, the vulnerability’s presence in widely deployed WordPress plugins means a large number of websites could be targeted, especially those with high traffic or valuable user data.

To mitigate CVE-2025-0916, organizations should immediately verify the version of the YaySMTP and Email Logs plugin in use and upgrade to a version where the vulnerability is fully patched once released. Until an official patch is available, consider the following specific actions: 1) Re-enable or implement robust input sanitization and output escaping functions such as wp_kses_post() to neutralize potentially malicious input; 2) Restrict access to plugin pages that render user-generated content by applying strict user role permissions or IP-based access controls; 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the plugin’s endpoints; 4) Conduct thorough code reviews and security testing on customizations or integrations involving the plugin to identify injection points; 5) Monitor logs and user activity for unusual behavior indicative of exploitation attempts; 6) Educate site administrators about the risks of installing unverified plugin versions and the importance of timely updates. Additionally, consider isolating critical email infrastructure components and enforcing Content Security Policy (CSP) headers to limit script execution scope. These targeted mitigations go beyond generic advice by focusing on the plugin’s specific weaknesses and operational context.