CVE-2025-1319 - WordPress Site Mailer Plugin Vulnerability: Stored Cross-Site Scripting in Email API Deliverability & Email Log

As per the recent security update, the Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress has been found to be vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping.

In this post, we will provide a deep dive into the vulnerability, including code snippets and exploit details that can lead to an unauthenticated attacker injecting malicious web scripts in pages. The injected scripts will execute whenever a user accesses the infected page.

Vulnerability Details

The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress has a critical security flaw caused by insufficient input sanitization and output escaping. As a result, attackers can exploit this vulnerability by injecting malicious scripts using Stored Cross-Site Scripting (XSS).

Below, we list out the details of the vulnerability

Vulnerable Plugin: Site Mailer – SMTP Replacement, Email API Deliverability & Email Log
Affected Versions: <= 1.2.3

This vulnerability has been assigned the identifier CVE-2025-1319.

Exploit Details

An attacker might inject arbitrary web scripts into pages by exploiting the Stored XSS vulnerability. These injected scripts will execute whenever an unsuspecting user accesses the infected page, potentially leading to data theft, defacement, and other malicious actions.

To further illustrate the exploit, let's consider an example. In the following code snippet, we can see the vulnerable code lacking proper input sanitization and output escaping:

$email_to = $_POST['email_to'];
$email_from = $_POST['email_from'];
$email_subject = $_POST['email_subject'];
$email_body = $_POST['email_body'];

wp_mail($email_to, $email_subject, $email_body, $email_from);

In this code snippet, the POST variables containing user-supplied data are not sanitized or escaped, making the plugin vulnerable to Stored XSS attacks. By merely submitting a malicious script as the value to any of these POST variables, an attacker can take advantage of the vulnerability.

For instance, the attacker may submit the following malicious script as the 'email_from' value

<script>alert('XSS Attack');</script>

Now, whenever a user accesses the infected page, the malicious JavaScript code embedded in the 'email_from' field will execute, executing the Stored XSS attack.

Original References

For more information on the vulnerability, refer to the following original resources that were posted when the vulnerability was discovered:

1. WordPress Plugin Vulnerability Database - Site Mailer
2. CVE-2025-1319 - Site Mailer Stored XSS

How to Address this Vulnerability

To mitigate the risk associated with the Stored XSS vulnerability in your WordPress site, you must take the following actions:

1. Update the affected plugin: Site Mailer – SMTP Replacement, Email API Deliverability & Email Log, to the latest version that includes the security fixes. If possible, consider updating to version 1.2.4 or later.
2. As a best practice, ensure that your WordPress installation, themes, and other plugins are also up-to-date with the latest security patches.

Conclusion

Stored XSS vulnerabilities pose severe risks to end-users if exploited. The recent CVE-2025-1319 vulnerability disclosure in the popular Site Mailer plugin for WordPress reaffirms the importance of frequently updating plugins and maintaining a robust security posture to protect your website and user data.

Timeline

Published on: 02/28/2025 13:15:27 UTC
Last modified on: 03/06/2025 15:09:58 UTC