{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3090", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-24T01:24:00.305Z", "datePublished": "2026-03-18T15:28:29.140Z", "dateUpdated": "2026-04-08T16:48:13.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:13.127Z"}, "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018event_type\u2019 parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled."}], "title": "Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8cbbbb-2089-4966-8fd3-da4f76fb2517?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/PostmanEmailLogs.php#L459"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484515/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "timeline": [{"time": "2026-02-24T01:52:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T17:01:09.399609Z", "id": "CVE-2026-3090", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T17:02:50.336Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3090", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T17:01:09.399609Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T17:02:47.099Z"}}], "cna": {"title": "Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type'", "credits": [{"lang": "en", "type": "finder", "value": "Ph\u00fa"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "saadiqbal", "product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.8.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-24T01:52:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8cbbbb-2089-4966-8fd3-da4f76fb2517?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/PostmanEmailLogs.php#L459"}, {"url": "https://plugins.trac.wordpress.org/changeset/3484515/"}], "descriptions": [{"lang": "en", "value": "The Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018event_type\u2019 parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-18T15:28:29.140Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3090", "state": "PUBLISHED", "dateUpdated": "2026-03-18T17:02:50.336Z", "dateReserved": "2026-02-24T01:24:00.305Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T15:28:29.140Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018event_type\u2019 parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled."}, {"lang": "es", "value": "El plugin Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP &amp; Mobile App para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'event_type' en todas las versiones hasta la 3.8.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes no autenticados inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. La vulnerabilidad solo es explotable cuando el plugin Post SMTP Pro tambi\u00e9n est\u00e1 instalado y su extensi\u00f3n de Informes y Seguimiento est\u00e1 habilitada."}], "id": "CVE-2026-3090", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T16:16:28.560", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-smtp/trunk/Postman/PostmanEmailLogs.php#L459"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3484515/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f8cbbbb-2089-4966-8fd3-da4f76fb2517?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.8.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App", "source": "cna", "vendor": "saadiqbal"}, "product": "post_smtp_\u2013_complete_email_deliverability_and_smtp_solution_with_email_logs,_alerts,_backup_smtp_&_mobile_app", "vendor": "saadiqbal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T16:21:20.821831+00:00", "value": {"mitigation_remediation": ["Update the Post SMTP plugin to the latest version (\u22653.8.1) to eliminate the XSS flaw.", "Disable the Post SMTP Pro plugin or turn off the Reporting and Tracking extension if an upgrade cannot be performed immediately, thereby removing the vulnerable code path.", "Verify that the WordPress site runs the latest core version and all other plugins are updated; run vulnerability scans to confirm the issue is resolved.", "Deploy a Web Application Firewall or configure security plugins to block XSS payloads as an additional line of defense."], "summary": {"action": "Patch plugin", "impact": "Stored Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the Post SMTP \u2013 Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin released by saadiqbal for WordPress that are version 3.8.0 or earlier. It only exists when the Post SMTP Pro extension is present and its Reporting and Tracking component is turned on, because that is where the vulnerable code path is executed.", "description_and_impact": "An unauthenticated attacker can inject JavaScript code through the 'event_type' parameter in the Post SMTP plugin. Because the input is not adequately sanitized or escaped, the malicious code becomes stored and executed within WordPress pages that display the event logs. This stored XSS can lead to data theft, session hijacking, defacement, or the installation of malware for any visitor who loads the compromised page. The weakness is identified as CWE\u201179 \u2013 Improper Neutralization of Input During Web Page Generation.", "risk_and_exploitability": "CVSS base score is 7.2, indicating a high\u2011impact threat. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The attack requires unauthenticated access to the WordPress installation, the presence of the Pro plugin, and the Reporting/Tracking feature enabled. An attacker may craft a malicious 'event_type' payload, store it through the plugin\u2019s interface, and then wait for other users to view the affected page, where the script will run in their browsers. Due to these constraints, the likelihood of immediate exploitation is moderate, but the impact remains significant; patching is strongly recommended."}}}}, "created": "2026-03-19T08:56:30.158048+00:00", "updated": "2026-03-24T10:58:36.952839+00:00", "vendors": ["saadiqbal", "saadiqbal$PRODUCT$post_smtp_\u2013_complete_email_deliverability_and_smtp_solution_with_email_logs,_alerts,_backup_smtp_&_mobile_app", "wordpress", "wordpress$PRODUCT$wordpress"]}