平台
wordpress
组件
post-smtp
修复版本
3.8.1
CVE-2026-3090 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Post SMTP WordPress plugin. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking, defacement, or redirection. The issue affects versions from 0.0.0 through 3.8.0 and is mitigated by upgrading to version 3.9.0.
Successful exploitation of CVE-2026-3090 allows an attacker to inject malicious JavaScript code into pages viewed by other users of the WordPress site. This can lead to a variety of attacks, including stealing user cookies and session tokens, redirecting users to phishing sites, or even defacing the website. The vulnerability is particularly concerning because it requires the Post SMTP Pro plugin and its Reporting and Tracking extension to be installed, expanding the potential attack surface. The attacker does not need to be authenticated to inject the script, making it a high-risk vulnerability.
CVE-2026-3090 was publicly disclosed on 2026-03-18. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of XSS exploitation suggests a medium probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Websites using the Post SMTP plugin, particularly those with the Post SMTP Pro plugin and its Reporting and Tracking extension enabled, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise of one site could potentially lead to the exploitation of this vulnerability on other sites.
• wordpress / composer / npm:
grep -r 'event_type' /var/www/html/wp-content/plugins/post-smtp/• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-smtp'• wordpress / composer / npm:
wp plugin list --status=active | grep 'post-smtp-pro'• wordpress / composer / npm:
wp option get post_smtp_reporting_enableddisclosure
漏洞利用状态
EPSS
0.08% (24% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-3090 is to upgrade the Post SMTP plugin to version 3.9.0 or later, which contains the necessary fixes. If upgrading immediately is not possible, consider temporarily disabling the Reporting and Tracking extension within the Post SMTP Pro plugin. Input validation and output escaping improvements are the core of the fix. After upgrading, verify the fix by attempting to inject a simple JavaScript payload through the 'event_type' parameter and confirming that it is properly sanitized and does not execute.
更新至 3.9.0 版本,或更新的补丁版本
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-3090 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the Post SMTP WordPress plugin versions 0.0.0–3.8.0, allowing attackers to inject malicious scripts.
You are affected if you are using Post SMTP WordPress plugin versions 0.0.0 through 3.8.0 and have the Post SMTP Pro plugin with the Reporting and Tracking extension enabled.
Upgrade the Post SMTP plugin to version 3.9.0 or later. As a temporary workaround, disable the Reporting and Tracking extension within the Post SMTP Pro plugin.
While no public exploits are currently known, the ease of XSS exploitation suggests a medium probability of exploitation.
Refer to the Post SMTP website and WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。