[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fal2ozVeGTTnqAnde9iTS1hIczbTjFxQLkAQHFHy6Jvo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-48838","post-smtp-complete-email-deliverability-and-smtp-solution-with-email-logs-alerts-backup-smtp-mobile-app-unauthenticated-","Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App \u003C= 3.6.2 - Unauthenticated Stored Cross-Site Scripting","The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","post-smtp",null,"\u003C=3.6.2","3.6.3","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-28 00:00:00","2026-06-01 16:21:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F863acd01-c9fa-44d5-afc4-1a6baefcf709?source=api-prod",5,[22,23,24],"Postman\u002FMobile\u002Fincludes\u002Femail-content.php","postman-smtp.php","readme.txt","researched",false,3,"```markdown\n# Exploitation Research Plan - CVE-2026-48838 (Post SMTP Stored XSS)\n\n## 1. Vulnerability Summary\nThe **Post SMTP** plugin for WordPress is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)** in versions up to and including 3.6.2. The vulnerability exists in the `Post_SMTP_Email_Content` class located in `Postman\u002FMobile\u002Fincludes\u002Femail-content.php`. \n\nThe plugin provides a mobile app integration that allows users to view email logs via a specific rendering endpoint. The `render_html()` method fetches email log data (including the message body, session transcripts, and success logs) and outputs them directly to the page without sufficient sanitization or output escaping. Specifically, the field `original_message` (and others like `session_transcript`) is echoed raw within the HTML.\n\n## 2. Attack Vector Analysis\n- **Endpoint\u002FHook**: The class `Post_SMTP_Email_Content` initializes itself in its constructor if `is_admin()` is true and specific GET parameters are present. The most accessible target for an unauthenticated user is `\u002Fwp-admin\u002Fadmin-ajax.php`, which triggers `is_admin() == true`.\n- **Vulnerable Parameters**:\n    - **Injection**: The email body sent via `wp_mail()` (e.g., via a public contact form).\n    - **Trigger\u002FAccess**: `log_id` and `access_token` GET parameters.\n","The Post SMTP plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting via its mobile app rendering endpoint. Attackers can inject arbitrary web scripts into email logs (e.g., via public contact forms) which are then executed without escaping when viewed by an administrator or authorized user through specific GET parameters.","\u002F\u002F Postman\u002FMobile\u002Fincludes\u002Femail-content.php line 135\n\u003Cdiv class=\"message-body\">\n\t\u003C?php echo $log['original_message']; ?>\n\u003C\u002Fdiv>\n\n---\n\n\u002F\u002F Postman\u002FMobile\u002Fincludes\u002Femail-content.php line 183\n\u003Cdiv class=\"message-body\">\n\t\u003C?php echo $log['session_transcript']; ?>\n\u003C\u002Fdiv>\n\n---\n\n\u002F\u002F Postman\u002FMobile\u002Fincludes\u002Femail-content.php line 231\n\u003Cdiv class=\"message-body\">\n\t\u003C?php echo $log['success']; ?>\n\u003C\u002Fdiv>","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpost-smtp\u002F3.6.2\u002FPostman\u002FMobile\u002Fincludes\u002Femail-content.php\t2023-10-26 06:11:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpost-smtp\u002F3.6.3\u002FPostman\u002FMobile\u002Fincludes\u002Femail-content.php\t2025-12-17 06:31:26.000000000 +0000\n@@ -132,7 +132,7 @@\n \t\t\t\t\t\t\t\t\t\u003C\u002Ftbody>\n \t\t\t\t\t\t\t\t\u003C\u002Ftable>\n \t\t\t\t\t\t\t\t\u003Cdiv class=\"message-body\">\n-\t\t\t\t\t\t\t\t\t\u003C?php echo $log['original_message']; ?>\n+\t\t\t\t\t\t\t\t\t\u003C?php echo wp_kses_post( $log['original_message'] ); ?>\n \t\t\t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\t\u003C\u002Fbody>\n@@ -180,7 +180,7 @@\n \t\t\t\t\t\u003Cbody>\n \t\t\t\t\t\t\u003Cdiv class=\"container\">\n \t\t\t\t\t\t\t\u003Cdiv class=\"message-body\">\n-\t\t\t\t\t\t\t\t\u003C?php echo $log['session_transcript']; ?>\n+\t\t\t\t\t\t\t\t\u003Cpre>\u003C?php echo esc_html( $log['session_transcript'] ); ?>\u003C\u002Fpre>\n \t\t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\u003C\u002Fbody>\n@@ -228,7 +228,7 @@\n \t\t\t\t\t\u003Cbody>\n \t\t\t\t\t\t\u003Cdiv class=\"container\">\n \t\t\t\t\t\t\t\u003Cdiv class=\"message-body\">\n-\t\t\t\t\t\t\t\t\u003C?php echo $log['success']; ?>\n+\t\t\t\t\t\t\t\t\u003C?php echo esc_html( $log['success'] ); ?>\n \t\t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\u003C\u002Fbody>","1. An unauthenticated attacker identifies a public-facing email trigger (like a 'Contact Us' form) that uses wp_mail() and is logged by Post SMTP.\n2. The attacker submits a payload containing malicious JavaScript (e.g., \u003Cscript>alert(document.domain)\u003C\u002Fscript>) within the email message body.\n3. The attacker (or a victim user) accesses the rendering endpoint via a URL such as `\u002Fwp-admin\u002Fadmin-ajax.php?access_token=[TOKEN]&log_id=[ID]&type=log`.\n4. Because `render_html()` outputs the `original_message`, `session_transcript`, and `success` fields directly without sanitization or output escaping, the payload executes in the context of the user's browser session.","gemini-3-flash-preview","2026-06-04 16:04:06","2026-06-04 16:06:09",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","3.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-smtp\u002Ftags\u002F3.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-smtp.3.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-smtp\u002Ftags\u002F3.6.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpost-smtp.3.6.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpost-smtp\u002Ftags"]