CVE-2025-53256
BaseFortify
Publication date: 2025-06-27
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) offered by Patchstack, which auto-mitigates the vulnerability even without an official patch. Users should also restrict administrator privileges carefully and seek professional incident response services if compromise is suspected. No official fixed version is currently available. [1]
Can you explain this vulnerability to me?
This vulnerability is an SQL Injection issue in the WordPress YaySMTP plugin (versions up to 6.8.1). It allows a malicious actor with administrator privileges to manipulate the plugin's database by injecting malicious SQL commands. This can lead to unauthorized data access or manipulation. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to steal or manipulate data stored in the plugin's database. Although exploitation is considered unlikely and the risk low priority, successful attacks could compromise sensitive information or disrupt service availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SQL Injection vulnerability in YaySMTP is challenging because plugin-based malware scanners may be unreliable. There are no specific commands provided for detection. Users are advised to monitor for unusual database interactions by administrators and consider professional incident response services if compromise is suspected. [1]