CVE-2022-2371

CVE-2022-2371: YaySMTP < 2.2.1 - Subscriber+ Stored Cross-Site Scripting

Vendor Unknown

Product YaySMTP – Simple WP SMTP Mail

Weakness CWE-79 · XSS

Published August 8, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The YaySMTP WordPress plugin before 2.2.1 does not have proper authorisation when saving its settings, allowing users with a role as low as subscriber to change them, and use that to conduct Stored Cross-Site Scripting attack due to the lack of escaping in them as well.

Key dates

02Disclosure timeline

August 8, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-2371 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-37246 WordPress Gallery Slideshow plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability CVE-2023-41657 WordPress HollerBox Plugin <= 2.3.2 is vulnerable to Cross Site Scripting (XSS) CVE-2024-7388 WP Bannerize Pro <= 1.9.0 - Authenticated (Editor+) Stored Cross-Site Scripting CVE-2025-9682 O2OA Personal Profile appdict cross site scripting CVE-2023-29023 Rockwell Automation ArmorStart ST Vulnerable to Cross-Site Scripting Attack