CVE-2026-3090
Published: 18 March 2026
Summary
CVE-2026-3090 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-3090 is a stored cross-site scripting (XSS) vulnerability in the Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress, affecting all versions up to and including 3.8.0. The issue arises from insufficient input sanitization and output escaping of the 'event_type' parameter, enabling attackers to inject arbitrary web scripts into pages.
Unauthenticated attackers can exploit this vulnerability to inject malicious scripts that execute whenever a user accesses an affected page. Exploitation is conditional on the Post SMTP Pro plugin being installed alongside the vulnerable Post SMTP plugin, with its Reporting and Tracking extension enabled. Successful attacks can lead to low-level impacts on confidentiality and integrity with changed scope, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Mitigation details are available in referenced sources, including the vulnerable code at line 459 in PostmanEmailLogs.php, a patch applied in WordPress plugins trac changeset 3484515, and a Wordfence threat intelligence advisory summarizing the issue. Security practitioners should update the plugin beyond version 3.8.0 to address the flaw.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12841
Vulnerability details
The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0…
more
due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in a WordPress plugin allows injection of scripts executed in user browsers (T1059.007 JavaScript). Unauthenticated attackers can deliver malicious payloads via the vulnerable parameter, consistent with drive-by compromise (T1189) or spearphishing attachment/link vectors (T1566.001) that lead to client-side script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the insufficient input sanitization of the 'event_type' parameter, preventing injection of arbitrary web scripts by unauthenticated attackers.
Mitigates the lack of output escaping by filtering injected scripts before they are rendered and executed on affected pages.
Ensures timely flaw remediation through updating the Post SMTP plugin beyond version 3.8.0, eliminating the stored XSS vulnerability.