The vulnerability is a Cross‑Site Request Forgery that, when triggered by an attacker while a legitimate user is authenticated, allows the attacker to submit data that is stored by the PostmarkApp Email Integrator plugin. The stored data is later rendered in the web page without proper sanitization, enabling persistent Cross‑Site Scripting. An attacker who successfully injects malicious scripts can obtain user credentials, deface the site, or redirect visitors to malicious sites, thereby compromising confidentiality, integrity, and availability of the affected system.

Gagan Deep Singh’s PostmarkApp Email Integrator plugin is affected. All installed copies with versions from the earliest release through 2.4 are vulnerable; versions 2.5 and later are not impacted.

The CVSS score of 7.1 indicates a high severity threat. The EPSS score of less than 1% suggests that exploitation likelihood is currently very low, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The likely attack vector involves an attacker sending a crafted request to a logged‑in site administrator or user, causing the plugin to process malicious input and store it as content that later triggers XSS for site visitors. Because the flaw requires a valid authenticated session, the risk is concentrated on privileged users who have access to the plugin’s configuration area.