CVE-2026-48838

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.6.2 - Unauthenticated Stored Cross-Site Scripting

highImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
3.6.3
Patched in
5d
Time to patch

Description

The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.2
PublishedMay 28, 2026
Last updatedJune 1, 2026
Affected pluginpost-smtp

What Changed in the Fix

Changes introduced in v3.6.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

```markdown # Exploitation Research Plan - CVE-2026-48838 (Post SMTP Stored XSS) ## 1. Vulnerability Summary The **Post SMTP** plugin for WordPress is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in versions up to and including 3.6.2. The vulnerability exists in the `Post_SMT…

Show full research plan
# Exploitation Research Plan - CVE-2026-48838 (Post SMTP Stored XSS)

## 1. Vulnerability Summary
The **Post SMTP** plugin for WordPress is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in versions up to and including 3.6.2. The vulnerability exists in the `Post_SMTP_Email_Content` class located in `Postman/Mobile/includes/email-content.php`. 

The plugin provides a mobile app integration that allows users to view email logs via a specific rendering endpoint. The `render_html()` method fetches email log data (including the message body, session transcripts, and success logs) and outputs them directly to the page without sufficient sanitization or output escaping. Specifically, the field `original_message` (and others like `session_transcript`) is echoed raw within the HTML.

## 2. Attack Vector Analysis
- **Endpoint/Hook**: The class `Post_SMTP_Email_Content` initializes itself in its constructor if `is_admin()` is true and specific GET parameters are present. The most accessible target for an unauthenticated user is `/wp-admin/admin-ajax.php`, which triggers `is_admin() == true`.
- **Vulnerable Parameters**:
    - **Injection**: The email body sent via `wp_mail()` (e.g., via a public contact form).
    - **Trigger/Access**: `log_id` and `access_token` GET parameters.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Post SMTP plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting via its mobile app rendering endpoint. Attackers can inject arbitrary web scripts into email logs (e.g., via public contact forms) which are then executed without escaping when viewed by an administrator or authorized user through specific GET parameters.

Vulnerable Code

// Postman/Mobile/includes/email-content.php line 135
<div class="message-body">
	<?php echo $log['original_message']; ?>
</div>

---

// Postman/Mobile/includes/email-content.php line 183
<div class="message-body">
	<?php echo $log['session_transcript']; ?>
</div>

---

// Postman/Mobile/includes/email-content.php line 231
<div class="message-body">
	<?php echo $log['success']; ?>
</div>

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/post-smtp/3.6.2/Postman/Mobile/includes/email-content.php	2023-10-26 06:11:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/post-smtp/3.6.3/Postman/Mobile/includes/email-content.php	2025-12-17 06:31:26.000000000 +0000
@@ -132,7 +132,7 @@
 									</tbody>
 								</table>
 								<div class="message-body">
-									<?php echo $log['original_message']; ?>
+									<?php echo wp_kses_post( $log['original_message'] ); ?>
 								</div>
 							</div>
 						</body>
@@ -180,7 +180,7 @@
 					<body>
 						<div class="container">
 							<div class="message-body">
-								<?php echo $log['session_transcript']; ?>
+								<pre><?php echo esc_html( $log['session_transcript'] ); ?></pre>
 							</div>
 						</div>
 					</body>
@@ -228,7 +228,7 @@
 					<body>
 						<div class="container">
 							<div class="message-body">
-								<?php echo $log['success']; ?>
+								<?php echo esc_html( $log['success'] ); ?>
 							</div>
 						</div>
 					</body>

Exploit Outline

1. An unauthenticated attacker identifies a public-facing email trigger (like a 'Contact Us' form) that uses wp_mail() and is logged by Post SMTP. 2. The attacker submits a payload containing malicious JavaScript (e.g., <script>alert(document.domain)</script>) within the email message body. 3. The attacker (or a victim user) accesses the rendering endpoint via a URL such as `/wp-admin/admin-ajax.php?access_token=[TOKEN]&log_id=[ID]&type=log`. 4. Because `render_html()` outputs the `original_message`, `session_transcript`, and `success` fields directly without sanitization or output escaping, the payload executes in the context of the user's browser session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.