プラットフォーム
wordpress
コンポーネント
post-smtp
修正版
3.8.1
CVE-2026-3090 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Post SMTP WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking, defacement, or redirection. The issue affects versions from 0.0.0 through 3.8.0 and is mitigated by upgrading to version 3.9.0.
Successful exploitation of CVE-2026-3090 allows an attacker to inject malicious JavaScript code into pages viewed by other users of the WordPress site. This can lead to a variety of attacks, including stealing user cookies and session tokens, redirecting users to phishing sites, or even defacing the website. The vulnerability is particularly concerning because it requires the Post SMTP Pro plugin and its Reporting and Tracking extension to be installed, expanding the potential attack surface. The attacker does not need to be authenticated to inject the script, making it a high-risk vulnerability.
CVE-2026-3090 was publicly disclosed on 2026-03-18. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of XSS exploitation suggests a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Websites using the Post SMTP plugin, particularly those with the Post SMTP Pro plugin and its Reporting and Tracking extension enabled, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the exploitation of this vulnerability on other sites.
• wordpress / composer / npm:
grep -r 'event_type' /var/www/html/wp-content/plugins/post-smtp/• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-smtp'• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-smtp-pro'• wordpress / composer / npm:
wp option get post_smtp_reporting_enableddisclosure
エクスプロイト状況
EPSS
0.08% (24% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-3090 is to upgrade the Post SMTP plugin to version 3.9.0 or later, which contains the necessary fixes. If upgrading immediately is not possible, consider temporarily disabling the Reporting and Tracking extension within the Post SMTP Pro plugin. Input validation and output escaping improvements are the core of the fix. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the 'event_type' parameter and confirming that it is properly sanitized and does not execute.
バージョン3.9.0、またはそれ以降の修正されたバージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-3090 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Post SMTP WordPress plugin versions 0.0.0–3.8.0, allowing attackers to inject malicious scripts.
You are affected if you are using Post SMTP WordPress plugin versions 0.0.0 through 3.8.0 and have the Post SMTP Pro plugin with the Reporting and Tracking extension enabled.
Upgrade the Post SMTP plugin to version 3.9.0 or later. As a temporary workaround, disable the Reporting and Tracking extension within the Post SMTP Pro plugin.
While no public exploits are currently known, the ease of XSS exploitation suggests a medium probability of exploitation.
Refer to the Post SMTP website and WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。