CVE-2025-48161

2025-07-16 [email protected]
WordPress PHP SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP smtp-sendinblue allows SQL Injection.This issue affects YaySMTP: from n/a through <= 1.3.

AnalysisAI

SQL injection vulnerability in YayCommerce YaySMTP WordPress plugin through version 1.3 allows attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability affects the smtp-sendinblue plugin and has been reported by Patchstack security researchers; however, no public exploit code or confirmed active exploitation has been identified at this time. With an EPSS score of 0.05% (15th percentile), this represents a low exploitation probability despite the critical nature of SQL injection vulnerabilities.

Technical ContextAI

This vulnerability is a classic SQL injection flaw (CWE-89) in the YayCommerce YaySMTP plugin, a WordPress SMTP integration solution for Sendinblue email services. SQL injection occurs when user-supplied input is improperly concatenated into SQL queries without parameterization or prepared statements, allowing attackers to inject malicious SQL syntax. The vulnerability exists somewhere within the plugin's database interaction layer, likely in functions handling SMTP configuration, email logging, or user data processing. WordPress plugins with database access are particularly sensitive targets, as they often handle both public and administrative requests with varying input validation rigor.

Affected ProductsAI

YayCommerce YaySMTP smtp-sendinblue WordPress plugin from version 1.0 through version 1.3. The vulnerability affects all installations of this SMTP integration plugin for Sendinblue email services up to and including version 1.3. Specific CPE data is not provided in available sources, but the plugin is identified in the WordPress plugin repository as 'smtp-sendinblue' under YayCommerce authorship.

RemediationAI

Users should immediately upgrade YaySMTP to a patched version if available from the plugin developer. Verify the latest version in the WordPress plugin repository or contact YayCommerce directly for security updates beyond version 1.3. If no patched version is available, consider disabling the YaySMTP plugin and implementing an alternative SMTP solution until a security update is released. As an interim mitigation, restrict database user permissions associated with the plugin's database account to the minimum required operations (read-only where possible) and implement Web Application Firewall rules to detect and block common SQL injection patterns targeting SMTP or email configuration endpoints. Monitor the plugin repository and Patchstack (https://patchstack.com/database/Wordpress/Plugin/smtp-sendinblue/) for patched version announcements.

Share

CVE-2025-48161 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy