Description
The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled.
Published: 2026-03-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Patch plugin
AI Analysis

Impact

An unauthenticated attacker can inject JavaScript code through the 'event_type' parameter in the Post SMTP plugin. Because the input is not adequately sanitized or escaped, the malicious code becomes stored and executed within WordPress pages that display the event logs. This stored XSS can lead to data theft, session hijacking, defacement, or the installation of malware for any visitor who loads the compromised page. The weakness is identified as CWE‑79 – Improper Neutralization of Input During Web Page Generation.

Affected Systems

The vulnerability affects all versions of the Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin released by saadiqbal for WordPress that are version 3.8.0 or earlier. It only exists when the Post SMTP Pro extension is present and its Reporting and Tracking component is turned on, because that is where the vulnerable code path is executed.

Risk and Exploitability

CVSS base score is 7.2, indicating a high‑impact threat. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The attack requires unauthenticated access to the WordPress installation, the presence of the Pro plugin, and the Reporting/Tracking feature enabled. An attacker may craft a malicious 'event_type' payload, store it through the plugin’s interface, and then wait for other users to view the affected page, where the script will run in their browsers. Due to these constraints, the likelihood of immediate exploitation is moderate, but the impact remains significant; patching is strongly recommended.

Generated by OpenCVE AI on March 18, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Post SMTP plugin to the latest version (≥3.8.1) to eliminate the XSS flaw.
  • Disable the Post SMTP Pro plugin or turn off the Reporting and Tracking extension if an upgrade cannot be performed immediately, thereby removing the vulnerable code path.
  • Verify that the WordPress site runs the latest core version and all other plugins are updated; run vulnerability scans to confirm the issue is resolved.
  • Deploy a Web Application Firewall or configure security plugins to block XSS payloads as an additional line of defense.

Generated by OpenCVE AI on March 18, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Saadiqbal
Saadiqbal post Smtp – Complete Email Deliverability And Smtp Solution With Email Logs, Alerts, Backup Smtp & Mobile App
Wordpress
Wordpress wordpress
Vendors & Products Saadiqbal
Saadiqbal post Smtp – Complete Email Deliverability And Smtp Solution With Email Logs, Alerts, Backup Smtp & Mobile App
Wordpress
Wordpress wordpress

Wed, 18 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled.
Title Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type'
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Saadiqbal Post Smtp – Complete Email Deliverability And Smtp Solution With Email Logs, Alerts, Backup Smtp & Mobile App
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:13.127Z

Reserved: 2026-02-24T01:24:00.305Z

Link: CVE-2026-3090

cve-icon Vulnrichment

Updated: 2026-03-18T17:02:47.099Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T16:16:28.560

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-3090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:36Z

Weaknesses