WP-Safety

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Security & Risk Analysis

wordpress.org/plugins/yaysmtp

Send WordPress emails successfully with WP Mail SMTP via your favorite mailer

10K active installs v2.7.3 PHP 5.4+ WP 5.5+ Updated Mar 5, 2026
email-loggmail-smtpsmtpwp-mail-smtpwp-mail
90
A · Safe
CVEs total8
Unpatched0
Last CVEJun 27, 2025
Plugin page Download
Safety Verdict

Is YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Safe to Use in 2026?

Generally Safe

Score 90/100

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jun 27, 2025Updated 29d ago
Risk Assessment

The "yaysmtp" plugin v2.7.3 presents a mixed security posture. While the static analysis shows a commendable 96% of outputs are properly escaped and a significant 78% of SQL queries utilize prepared statements, the plugin's extensive attack surface is a major concern. A total of 22 entry points are identified, with a striking 19 of these lacking authentication checks. This means a significant portion of the plugin's functionality is exposed to any user, potentially leading to unauthorized actions or information disclosure.

Taint analysis results are reassuring, with no critical or high severity flows found, indicating that the direct risk from malicious input processing within the analyzed flows appears low. However, the plugin's vulnerability history is a significant red flag. With a total of 8 known CVEs, including 3 high severity vulnerabilities related to SQL Injection, Cross-site Scripting, Missing Authorization, and Sensitive Information Exposure, the plugin has a history of serious security flaws. The fact that the last vulnerability was reported very recently (2025-06-27) and the absence of currently unpatched vulnerabilities is positive, but the historical pattern suggests a recurring tendency for security weaknesses.

In conclusion, while the current version shows improvements in certain areas like output escaping and prepared statements, the large number of unprotected AJAX handlers and the plugin's historical susceptibility to critical vulnerability types necessitate a cautious approach. Users should be aware of the potential for exploitation due to the exposed attack surface, and ongoing vigilance is recommended given the past security issues.

Key Concerns

  • 19 unprotected AJAX handlers
  • Total of 8 known CVEs
  • 3 High severity CVEs
  • 5 Medium severity CVEs
  • Bundled PHPMailer
  • Bundled Guzzle
Vulnerabilities
8

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Security Vulnerabilities

CVEs by Year

4 CVEs in 2022
2022
1 CVE in 2023
2023
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
5

8 total CVEs

CVE-2025-53256medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

YaySMTP <= 2.6.6 - Authenticated (Administrator+) SQL Injection

Jun 27, 2025 Patched in 2.6.7 (110d)
CVE-2025-47587medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

YaySMTP <= 2.6.4 - Authenticated (Administrator+) SQL Injection

May 7, 2025 Patched in 2.6.5 (7d)
CVE-2025-0916high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YaySMTP 2.4.9 - 2.6.3 - Unauthenticated Stored Cross-Site Scripting

Feb 18, 2025 Patched in 2.6.4 (51d)
CVE-2023-3093high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YaySMTP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email

Jun 12, 2023 Patched in 2.4.6 (599d)
CVE-2022-2371medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YaySMTP – Simple WP SMTP Mail <= 2.2 - Stored Cross-Site Scripting

Jul 18, 2022 Patched in 2.2.1 (554d)
CVE-2022-2372medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YaySMTP – Simple WP SMTP Mail <= 2.2.1 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 15, 2022 Patched in 2.2.2 (557d)
CVE-2022-2370medium · 6.5Missing Authorization

YaySMTP – Simple WP SMTP Mail <= 2.2 - Missing Authorization to Sensitive Information Exposure

Jul 11, 2022 Patched in 2.2.1 (561d)
CVE-2022-2369high · 7.5Exposure of Sensitive Information to an Unauthorized Actor

YaySMTP – Simple WP SMTP Mail <= 2.2 - Sensitive Information Disclosure

Jul 11, 2022 Patched in 2.2.1 (561d)
Code Analysis
Analyzed Mar 16, 2026

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Code Analysis

Dangerous Functions
0
Raw SQL Queries
27
94 prepared
Unescaped Output
11
278 escaped
Nonce Checks
4
Capability Checks
15
File Operations
49
External Requests
20
Bundled Libraries
2

Bundled Libraries

PHPMailerGuzzle

SQL Query Safety

78% prepared121 total queries

Output Escaping

96% escaped289 total outputs
Data Flows
All sanitized

Data Flow Analysis

1 flows
<Utils> (includes\Helper\Utils.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
19 unprotected

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Attack Surface

Entry Points22
Unprotected19

AJAX Handlers 22

authwp_ajax_yaysmtp_save_settingsincludes\Functions.php:27
authwp_ajax_yaysmtp_save_addition_settingsincludes\Functions.php:28
authwp_ajax_yaysmtp_send_mailincludes\Functions.php:29
authwp_ajax_yaysmtp_fallback_send_mailincludes\Functions.php:30
authwp_ajax_yaysmtp_gmail_remove_authincludes\Functions.php:31
authwp_ajax_yaysmtp_gmail_remove_auth_fallbackincludes\Functions.php:32
authwp_ajax_yaysmtp_yoho_remove_authincludes\Functions.php:33
authwp_ajax_yaysmtp_outlookms_remove_authincludes\Functions.php:34
authwp_ajax_yaysmtp_email_logsincludes\Functions.php:35
authwp_ajax_yaysmtp_set_email_logs_settingincludes\Functions.php:36
authwp_ajax_yaysmtp_delete_email_logsincludes\Functions.php:37
authwp_ajax_yaysmtp_delete_all_email_logsincludes\Functions.php:38
authwp_ajax_yaysmtp_detail_email_logsincludes\Functions.php:39
authwp_ajax_yaysmtp_overview_chartincludes\Functions.php:40
authwp_ajax_yaysmtp_mark_reviewedincludes\Functions.php:41
authwp_ajax_yaysmtp_close_popup_import_smtp_settingsincludes\ImportSettingsOtherPlugins.php:24
authwp_ajax_yaysmtp_import_smtp_settingsincludes\ImportSettingsOtherPlugins.php:25
authwp_ajax_yaysmtp_import_smtp_email_logsincludes\ImportSettingsOtherPlugins.php:26
authwp_ajax_yaysmtp_export_email_logincludes\ImportSettingsOtherPlugins.php:27
authwp_ajax_yay_recommended_get_plugin_dataincludes\YayCommerceMenu\OtherPluginsMenu.php:27
authwp_ajax_yay_recommended_activate_pluginincludes\YayCommerceMenu\OtherPluginsMenu.php:28
authwp_ajax_yay_recommended_upgrade_pluginincludes\YayCommerceMenu\OtherPluginsMenu.php:29
WordPress Hooks 31
actioninitincludes\CLI\CLI.php:30
actionwp_dashboard_setupincludes\Dashboard.php:22
filterscript_loader_tagincludes\Engines\Registries\RegisterFacade.php:23
actioninitincludes\Engines\Registries\RegisterFacade.php:24
actioninitincludes\Engines\Registries\RegisterProd.php:19
actioninitincludes\I18n.php:18
actionadmin_noticesincludes\ImportSettingsOtherPlugins.php:29
actionadmin_menuincludes\Page\Settings.php:27
filteradmin_body_classincludes\Page\Settings.php:28
actionnetwork_admin_menuincludes\Page\Settings.php:29
actionadmin_enqueue_scriptsincludes\Page\Settings.php:33
actionadmin_enqueue_scriptsincludes\Page\Settings.php:34
actionadmin_enqueue_scriptsincludes\Page\Settings.php:35
actioninitincludes\PluginCore.php:28
actionphpmailer_initincludes\PluginCore.php:34
filterwp_mail_fromincludes\PluginCore.php:35
filterwp_mail_from_nameincludes\PluginCore.php:36
filtercron_schedulesincludes\Schedule.php:21
filtercron_schedulesincludes\Schedule.php:22
actionyaysmtp_delete_email_log_schedule_hookincludes\Schedule.php:26
actionyaysmtp_send_email_report_weekly_schedule_hookincludes\Schedule.php:38
actionyaysmtp_send_email_report_monthly_schedule_hookincludes\Schedule.php:45
actionyaysmtp_send_beforeincludes\TrackingEvents\TrackingEventApi.php:45
actionrest_api_initincludes\TrackingEvents\TrackingEventApi.php:48
actionnetwork_admin_noticesincludes\UpdateVersion.php:6
actionadmin_noticesincludes\UpdateVersion.php:7
actionadmin_enqueue_scriptsincludes\YayCommerceMenu\RegisterMenu.php:56
actionadmin_menuincludes\YayCommerceMenu\RegisterMenu.php:57
actionnetwork_admin_menuincludes\YayCommerceMenu\RegisterMenu.php:58
actionadmin_menuincludes\YayCommerceMenu\RegisterMenu.php:59
actionplugins_loadedyay-smtp.php:140

Scheduled Events 3

yaysmtp_delete_email_log_schedule_hook
yaysmtp_send_email_report_weekly_schedule_hook
yaysmtp_send_email_report_monthly_schedule_hook
Maintenance & Trust

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version5.4
Downloads239K

Community Trust

Rating98/100
Number of ratings42
Active installs10K
Alternatives

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Alternatives

Bit SMTP – Easy SMTP Solution with Email Logs

Bit SMTP – Easy SMTP Solution with Email Logs

bit-smtp

A
100

Short Description

2K No CVEs
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

B
76

Improve WordPress email deliverability. Connect Gmail SMTP, Microsoft 365, Brevo, SendGrid, Mailgun, Zoho, Amazon SES, etc. #1 WordPress SMTP Plugin.

400K 21 CVEs
SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

suremails

A
97

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

200K 1 CVE
Swift SMTP (formerly Welcome Email Editor)

Swift SMTP (formerly Welcome Email Editor)

welcome-email-editor

A
99

Swift SMTP is a free & simple SMTP Plugin for WordPress.

8K 2 CVEs
SMTP for SendGrid – YaySMTP

SMTP for SendGrid – YaySMTP

smtp-sendgrid

A
97

Send emails from WordPress through SendGrid using SMTP by YayCommerce

1K 2 CVEs
Developer Profile

YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service Developer Profile

YayCommerce

16 plugins · 78K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
133 days
View full developer profile
Detection Fingerprints

How We Detect YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yaysmtp/assets/css/frontend.css/wp-content/plugins/yaysmtp/assets/css/admin.css/wp-content/plugins/yaysmtp/assets/js/frontend.js/wp-content/plugins/yaysmtp/assets/js/admin.js/wp-content/plugins/yaysmtp/assets/js/settings.js
Script Paths
/wp-content/plugins/yaysmtp/assets/js/frontend.js/wp-content/plugins/yaysmtp/assets/js/admin.js/wp-content/plugins/yaysmtp/assets/js/settings.js
Version Parameters
yaysmtp/assets/css/frontend.css?ver=yaysmtp/assets/css/admin.css?ver=yaysmtp/assets/js/frontend.js?ver=yaysmtp/assets/js/admin.js?ver=yaysmtp/assets/js/settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
yaysmtp-ui
Data Attributes
data-test-id
JS Globals
window.YaySmtp
FAQ

Frequently Asked Questions about YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service