{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1043", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T15:53:22.420Z", "datePublished": "2026-02-19T04:36:17.315Z", "dateUpdated": "2026-04-08T17:03:37.150Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:37.150Z"}, "affected": [{"vendor": "gagan0123", "product": "PostmarkApp Email Integrator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page."}], "title": "PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80b03e81-6660-483a-9150-e6075b7bffbd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L149"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/tags/2.4/postmarkapp.php#L149"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L153"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L68"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "timeline": [{"time": "2026-02-18T15:45:28.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T20:35:44.043721Z", "id": "CVE-2026-1043", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:37:09.646Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T20:35:44.043721Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T20:36:03.272Z"}}], "cna": {"title": "PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings", "credits": [{"lang": "en", "type": "finder", "value": "Bhumividh Treloges"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "gagan0123", "product": "PostmarkApp Email Integrator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:45:28.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80b03e81-6660-483a-9150-e6075b7bffbd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L149"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/tags/2.4/postmarkapp.php#L149"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L153"}, {"url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L68"}], "descriptions": [{"lang": "en", "value": "The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:37.150Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1043", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:37.150Z", "dateReserved": "2026-01-16T15:53:22.420Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:17.315Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page."}, {"lang": "es", "value": "El plugin PostmarkApp Email Integrator para WordPress es vulnerable a Cross-Site Scripting Almacenado a trav\u00e9s de la configuraci\u00f3n del plugin en versiones hasta la 2.4, inclusive. Esto se debe a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en los par\u00e1metros pma_api_key y pma_sender_address. Esto hace posible que atacantes autenticados, con acceso de nivel de Administrador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a la p\u00e1gina de configuraci\u00f3n."}], "id": "CVE-2026-1043", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:42.900", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/tags/2.4/postmarkapp.php#L149"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L149"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L153"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/postmarkapp-email-integrator/trunk/postmarkapp.php#L68"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80b03e81-6660-483a-9150-e6075b7bffbd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PostmarkApp Email Integrator", "source": "cna", "vendor": "gagan0123"}, "product": "postmarkapp_email_integrator", "vendor": "gagan0123"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:17:49.877856+00:00", "value": {"mitigation_remediation": ["Upgrade the PostmarkApp Email Integrator plugin to the latest version that removes the insecure input handling.", "If an immediate upgrade is not feasible, restrict or remove Administrator\u2011level access to the plugin\u2019s settings page to prevent new script injections.", "Configure a Content Security Policy that blocks inline scripts and does not allow execution from untrusted sources, and enable the browser\u2019s XSS filter or a web application firewall to detect and block malicious payloads."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the PostmarkApp Email Integrator plugin developed by gagan0123, specifically all versions up to and including 2.4.", "description_and_impact": "The PostmarkApp Email Integrator plugin for WordPress is vulnerable to stored Cross\u2011Site Scripting in its pma_api_key and pma_sender_address fields because the input from these fields is not properly sanitized or escaped. An attacker who has Administrator\u2011level access can inject arbitrary JavaScript into the plugin settings. When any user, even one without administrative rights, visits the settings page, the injected script executes in that user\u2019s browser, potentially allowing the attacker to steal credentials, deface the site, or perform other malicious actions within the user\u2019s session context.", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium impact rating, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to have authenticated Administrator\u2011level access; the attack vector, therefore, is an authenticated privilege escalation within the WordPress installation. Once the attacker injects script into the plugin settings, the script will run automatically for any user who views that page."}}}}, "created": "2026-02-19T10:07:05.964435+00:00", "updated": "2026-04-15T20:30:13.767740+00:00", "vendors": ["gagan0123", "gagan0123$PRODUCT$postmarkapp_email_integrator", "wordpress", "wordpress$PRODUCT$wordpress"]}