Cyber Resilience

CVE-2026-3090

High

Published: 18 March 2026

Published
18 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0012 30.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3090 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-3090 is a stored cross-site scripting (XSS) vulnerability in the Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress, affecting all versions up to and including 3.8.0. The issue arises from insufficient input sanitization and output escaping of the 'event_type' parameter, enabling attackers to inject arbitrary web scripts into pages.

Unauthenticated attackers can exploit this vulnerability to inject malicious scripts that execute whenever a user accesses an affected page. Exploitation is conditional on the Post SMTP Pro plugin being installed alongside the vulnerable Post SMTP plugin, with its Reporting and Tracking extension enabled. Successful attacks can lead to low-level impacts on confidentiality and integrity with changed scope, as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Mitigation details are available in referenced sources, including the vulnerable code at line 459 in PostmanEmailLogs.php, a patch applied in WordPress plugins trac changeset 3484515, and a Wordfence threat intelligence advisory summarizing the issue. Security practitioners should update the plugin beyond version 3.8.0 to address the flaw.

EU & UK References

Vulnerability details

The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0…

more

due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and Tracking extension is enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1566.001 Spearphishing Attachment Initial Access
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Why these techniques?

Stored XSS in a WordPress plugin allows injection of scripts executed in user browsers (T1059.007 JavaScript). Unauthenticated attackers can deliver malicious payloads via the vulnerable parameter, consistent with drive-by compromise (T1189) or spearphishing attachment/link vectors (T1566.001) that lead to client-side script execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28109Shared CWE-79
CVE-2024-53965Shared CWE-79
CVE-2025-50128Shared CWE-79
CVE-2025-25132Shared CWE-79
CVE-2026-25438Shared CWE-79
CVE-2025-69053Shared CWE-79
CVE-2026-25383Shared CWE-79
CVE-2025-70846Shared CWE-79
CVE-2026-42524Shared CWE-79
CVE-2026-42457Shared CWE-79

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient input sanitization of the 'event_type' parameter, preventing injection of arbitrary web scripts by unauthenticated attackers.

prevent

Mitigates the lack of output escaping by filtering injected scripts before they are rendered and executed on affected pages.

prevent

Ensures timely flaw remediation through updating the Post SMTP plugin beyond version 3.8.0, eliminating the stored XSS vulnerability.

References