CVE-2025-48301

2025-07-16 [email protected]
WordPress PHP SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for SendGrid - YaySMTP smtp-sendgrid allows SQL Injection.This issue affects SMTP for SendGrid - YaySMTP: from n/a through <= 1.5.

AnalysisAI

SQL injection vulnerability in YayCommerce SMTP for SendGrid (YaySMTP) WordPress plugin version 1.5 and earlier allows authenticated attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability enables data exfiltration, modification, or deletion depending on database permissions. EPSS score of 0.05% indicates low exploitation probability despite the SQL injection classification.

Technical ContextAI

YaySMTP is a WordPress plugin that integrates SendGrid's SMTP email service. The vulnerability stems from improper neutralization of special SQL characters (CWE-89) in user-supplied input, likely within email configuration, recipient handling, or log filtering functionality. The plugin fails to properly parameterize or sanitize database queries, allowing attackers to inject arbitrary SQL commands that execute with the WordPress database user's privileges. This is a classic SQL injection flaw common in WordPress plugins with direct database access.

Affected ProductsAI

YayCommerce SMTP for SendGrid - YaySMTP WordPress plugin, versions 1.5 and earlier (CPE data not available in source material). The vulnerability affects all installations of this plugin up to and including version 1.5. Additional information and vendor advisory available at https://patchstack.com/database/Wordpress/Plugin/smtp-sendgrid/vulnerability/wordpress-smtp-for-sendgrid-yaysmtp-plugin-1-5-sql-injection-vulnerability?_s_id=cve.

RemediationAI

Update YaySMTP to the latest patched version immediately (specific fix version number not confirmed in available data; check Patchstack or WordPress.org plugin repository for the earliest version after 1.5). As a temporary workaround if upgrading is delayed, restrict administrative access to WordPress user management and SMTP configuration pages via web application firewall rules or WordPress capability restrictions, though this does not eliminate the underlying flaw. Consult the vendor advisory at https://patchstack.com for detailed patch availability and timeline.

Share

CVE-2025-48301 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy