Platform
wordpress
Component
post-smtp
Fixed in
3.8.1
CVE-2026-3090 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Post SMTP WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking, defacement, or redirection. The issue affects versions from 0.0.0 through 3.8.0 and is mitigated by upgrading to version 3.9.0.
Successful exploitation of CVE-2026-3090 allows an attacker to inject malicious JavaScript code into pages viewed by other users of the WordPress site. This can lead to a variety of attacks, including stealing user cookies and session tokens, redirecting users to phishing sites, or even defacing the website. The vulnerability is particularly concerning because it requires the Post SMTP Pro plugin and its Reporting and Tracking extension to be installed, expanding the potential attack surface. The attacker does not need to be authenticated to inject the script, making it a high-risk vulnerability.
CVE-2026-3090 was publicly disclosed on 2026-03-18. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of XSS exploitation suggests a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3090 is to upgrade the Post SMTP plugin to version 3.9.0 or later, which contains the necessary fixes. If upgrading immediately is not possible, consider temporarily disabling the Reporting and Tracking extension within the Post SMTP Pro plugin. Input validation and output escaping improvements are the core of the fix. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the 'event_type' parameter and confirming that it is properly sanitized and does not execute.
Update to version 3.9.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3090 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Post SMTP WordPress plugin versions 0.0.0–3.8.0, allowing attackers to inject malicious scripts.
You are affected if you are using Post SMTP WordPress plugin versions 0.0.0 through 3.8.0 and have the Post SMTP Pro plugin with the Reporting and Tracking extension enabled.
Upgrade the Post SMTP plugin to version 3.9.0 or later. As a temporary workaround, disable the Reporting and Tracking extension within the Post SMTP Pro plugin.
While no public exploits are currently known, the ease of XSS exploitation suggests a medium probability of exploitation.
Refer to the Post SMTP website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.