The Post SMTP plugin for WordPress is vulnerable to a stored cross‑site scripting flaw in all versions up to and including 3.0.2. The vulnerability stems from insufficient input sanitization and output escaping of the "from" and "subject" parameters, permitting an attacker to inject malicious scripts that are then saved to the database. When a user later loads a page that displays the stored email data, the injected scripts run in the user’s browser, potentially enabling credential theft, session hijacking, website defacement, or further compromise of the site. This weakness is classified as CWE‑79 and represents a high‑impact flaw because it is exploitable by unauthenticated users without the need to compromise the WordPress administrator account.

All installations of the WordPress plugin "Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App" with versions 3.0.2 and earlier are affected. These releases are identified by the CPE "cpe:2.3:a:wpexperts:post_smtp:*:*:*:*:*:wordpress:*:*". Any WordPress site running the plugin within these vulnerable versions is at risk.

The vulnerability has a CVSS score of 7.2, indicating moderate to high severity. The EPSS score of less than 1% suggests that, as of the time of analysis, the probability of exploitation is low but not negligible, and there is no indication that the flaw has been observed in the wild (flagged in CISA’s KEV catalog). Attackers can exploit the flaw simply by embedding a malicious script into the "from" or "subject" fields of an email processed by the plugin, which does not require authentication. The injected code will execute every time a user views the corresponding page, which makes this a persistent threat until mitigated.