CVE-2025-54043

2025-07-16 [email protected]
SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for Amazon SES smtp-amazon-ses allows SQL Injection.This issue affects SMTP for Amazon SES: from n/a through <= 1.9.

AnalysisAI

SQL injection in YayCommerce SMTP for Amazon SES WordPress plugin through version 1.9 allows authenticated attackers to execute arbitrary SQL queries against the site database. The vulnerability exists in the plugin's improper handling of user input in SQL commands, enabling data exfiltration, modification, or deletion. Although no CVSS vector or public exploit code has been published, the low EPSS score (0.05%, 15th percentile) suggests limited practical exploitation despite the vulnerability's presence in an actively maintained plugin.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-89) in the YayCommerce SMTP for Amazon SES WordPress plugin, which provides integration between WordPress sites and Amazon Simple Email Service (SES) for outbound mail handling. The plugin improperly neutralizes special SQL characters in user-supplied input, allowing attackers to inject malicious SQL syntax directly into database queries. WordPress plugins operate with direct database access in the context of the site's wp-config.php credentials, making SQL injection particularly dangerous as it can lead to full WordPress database compromise including user credentials and sensitive post/page data.

Affected ProductsAI

YayCommerce SMTP for Amazon SES WordPress plugin versions from an unspecified baseline through version 1.9 (inclusive). The plugin is distributed through the WordPress.org plugin repository and identified by CPE references related to wordpress plugins. Users can verify their version in WordPress Admin > Plugins; the plugin slug is typically 'smtp-amazon-ses' or similar variant from YayCommerce.

RemediationAI

Upgrade the SMTP for Amazon SES plugin to version 1.10 or later, which patches the SQL injection vulnerability. From the WordPress admin dashboard, navigate to Plugins, locate SMTP for Amazon SES, and click 'Update' if available, or deactivate and remove the plugin if upgrading is not immediately feasible. Per the Patchstack security advisory (https://patchstack.com/database/Wordpress/Plugin/smtp-amazon-ses/vulnerability/wordpress-smtp-for-amazon-ses-plugin-1-9-sql-injection-vulnerability?_s_id=cve), the patch is available in the official WordPress plugin repository. As an interim measure, restrict administrative access to sensitive settings and monitor database query logs for suspicious SQL patterns if the update cannot be deployed immediately.

Share

CVE-2025-54043 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy