Vulnerability: - Title: YaySMTP < 2.2.2 - Admin+ Stored Cross-Site Scripting - CVE: CVE-2022-2372 - Description: The plugin does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (e.g., in multisite setup). Impact: - Type: XSS - OWASP Top 10: A7: Cross-Site Scripting (XSS) - CWE: CWE-79 - CVSS: 3.4 (Low) Affects Plugins: - Plugin: yaysmtp - Fixed in: 2.2.2 Miscellaneous: - Original Researcher: Rafshanzani Suhada - Submitter: Rafshanzani Suhada - Verified: Yes - WPVDB ID: 941fad6-0009-4751-b979-88e87ebb1e45 Timeline: - Publicly Published: 2022-07-18 (about 3 years ago) - Added: 2022-07-18 (about 3 years ago) - Last Updated: 2023-04-15 (about 2 years ago) Proof of Concept: - Place the following payload in the From Email or From Name settings and save them: " autofocus onfocus=alert(/XSS/)// Additional References: - Other vulnerabilities listed under the same category include plugins like WP-Player, ti.tl auto Twitter poster, Survey Maker, RegistrationMagic, and Logo Showcase with similar vulnerability types and contexts.