Description
Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.
Published: 2026-06-15
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Cross Site Scripting vulnerability exists in the WordPress Post SMTP plugin versions up to 3.6.2. An attacker can inject arbitrary client‑side scripts by supplying crafted input to the plugin’s features, which may lead to theft of user credentials, session hijacking, defacement, or other malicious actions executed in the victim’s browser. The weakness is a classic input validation flaw (CWE‑79). The plugin accepts input that is ultimately reflected in web pages without proper sanitization, giving an attacker the ability to execute code in the context of any site using the plugin.

Affected Systems

The affected product is the WordPress Post SMTP plugin developed by WPExperts. All installations running versions 3.6.2 or earlier are vulnerable. The problem does not affect other WordPress plugins, themes, or core files directly.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% shows a low estimated probability of exploitation observed so far. The vulnerability is not listed in the CISA KEV catalog, implying no widespread public exploits are known. The likely attack vector is unauthenticated exploitation via crafted input to the plugin’s configuration or functionality, as the flaw does not require login credentials. If an attacker succeeds, they can run arbitrary JavaScript in the browsers of any visitors to the affected site, compromising confidentiality, integrity, or availability of the website’s content and potentially the host environment.

Generated by OpenCVE AI on June 16, 2026 at 20:30 UTC.

Remediation

Vendor Solution

Update the WordPress Post SMTP Plugin to the latest available version (at least 3.6.3).

OpenCVE Recommended Actions

  • Update WordPress Post SMTP to the latest version (3.6.3 or newer).
  • Run a full malware scan and remove any malicious code injected during exploitation. For example use Wordfence, Sucuri, or similar security scanners.
  • Configure the plugin’s access controls so that only administrators can modify SMTP settings, minimizing the impact of future input‑related attacks.

Generated by OpenCVE AI on June 16, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpexperts
Wpexperts post Smtp
Vendors & Products Wordpress
Wordpress wordpress
Wpexperts
Wpexperts post Smtp

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.
Title WordPress Post SMTP plugin <= 3.6.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Wpexperts Post Smtp
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:59:16.931Z

Reserved: 2026-05-25T14:28:27.466Z

Link: CVE-2026-48838

cve-icon Vulnrichment

Updated: 2026-06-16T12:59:09.286Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:16.090

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:45:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')