WWordPress Vulnerability Database

Hong Kong Community Alert Post SMTP XSS(CVE20263090)

Cross Site Scripting (XSS) in WordPress Post SMTP Plugin
0
Shares
0
0
0
0
Plugin Name Post SMTP
Type of Vulnerability Cross-Site Scripting (XSS)
CVE Number CVE-2026-3090
Urgency Low
CVE Publish Date 2026-03-20
Source URL CVE-2026-3090

Urgent Security Advisory: Post SMTP Plugin (≤ 3.8.0) — Unauthenticated Stored XSS (CVE-2026-3090) — Impact, Mitigation & Response

Date: 2026-03-20  |  Author: Hong Kong Security Expert

Tags: WordPress, Security, WAF, XSS, Post SMTP, Vulnerability, CVE-2026-3090

Summary: A stored cross-site scripting (XSS) vulnerability (CVE-2026-3090) affecting the Post SMTP WordPress plugin (versions ≤ 3.8.0) allows an unauthenticated attacker to store a malicious payload via the event_type parameter. Successful exploitation can result in administrative actions being performed by a privileged user when they view or interact with the affected UI. A patched release is available (3.9.0). This advisory explains the risk, exploitation path, detection, mitigation and incident response steps from a pragmatic Hong Kong security perspective.

TL;DR (for site owners and admins)

  • Vulnerability: Stored XSS via the event_type parameter in Post SMTP plugin versions ≤ 3.8.0 (CVE-2026-3090).
  • Risk: An unauthenticated attacker can persist a payload that executes in the browser of an administrator when viewing the plugin UI or events page; this can lead to session theft, admin account compromise, malware installation, or lateral movement.
  • Patched version: 3.9.0 — update immediately.
  • Immediate mitigations if you cannot patch right away:
    • Restrict access to the plugin admin pages (IP whitelist, HTTP auth or similar host-level controls).
    • Disable the plugin temporarily if it is not required.
    • Apply host/WAF rules to block requests containing HTML/script payloads in event_type.
    • Scan the database for stored payloads and remove them.

What is the vulnerability?

This is a stored cross-site scripting (XSS) issue affecting Post SMTP plugin versions up to and including 3.8.0. An unauthenticated attacker may submit specially crafted input to the plugin’s endpoints (specifically via the event_type parameter). The plugin stores that input and later outputs it in an administrative page without proper output escaping or sanitization. When a privileged user (for example, an administrator) views or interacts with that page, the stored malicious script runs in their browser context.

Because the script runs in the admin’s browser, it can perform actions with that user’s privileges — including creating or modifying options, installing plugins, creating administrator accounts, or exfiltrating cookies and credentials. The vulnerability therefore poses a high impact to site confidentiality and integrity despite originating from an unauthenticated attacker.

CVE: CVE-2026-3090
Affected: Post SMTP plugin ≤ 3.8.0
Patched in: 3.9.0
Disclosure date: 20 March 2026

How exploitation works (high-level)

  1. Attacker sends a request to an endpoint or action in the Post SMTP plugin that accepts an event_type value. That request does not require authentication (unauthenticated submission).
  2. The plugin accepts and stores the value directly to the database (or to a log/event store) with insufficient sanitization or validation.
  3. Later, a logged-in privileged user (administrator/manager) visits the plugin’s events or settings UI. The plugin renders the stored event_type without proper escaping.
  4. The browser executes the persisted script in context of the admin session. From there an attacker can:
    • Read cookies or authentication tokens (session hijacking).
    • Issue requests to admin endpoints to create users, change options, install plugins, etc.
    • Persist backdoors or modify site content.
    • Deface or redirect visitors or pivot to other parts of the site.

Note: Although the initial submission can be unauthenticated, exploitation requires an admin to view the affected content. This is often achieved by social engineering (sending a malicious link or encouraging an admin to visit a particular page).

Why this is dangerous

  • Stored XSS persists in the site database and can trigger every time an admin views the affected page.
  • Because the script executes in the administrator’s browser, it can perform actions with admin privileges—effectively enabling site takeover.
  • Automated mass-exploitation is attractive to attackers: they can inject payloads across many sites rapidly and wait for an admin to browse the site UI.
  • Post-exploitation activities can be stealthy (backdoors, scheduled tasks, malicious code) and difficult to detect without a thorough forensic review.

Realistic exploitation scenarios

  • Phishing-like lure: Attacker injects a payload and emails an administrator a link to the plugin’s “Events” page with a convincing pretext. When the admin clicks, the payload executes.
  • Automated pivot: A payload that creates a new admin account or modifies admin email settings to give the attacker password reset access.
  • Persistent malware: Script writes malicious PHP backdoor via an admin-privileged AJAX action (triggered by the script), enabling remote code execution.
  • Supply-chain annoyance: An attacker injects JavaScript that modifies outgoing emails or inserts tracking/ad scripts into content.

Immediate actions for site owners / administrators

If you run Post SMTP plugin on any WordPress site:

  1. Update the plugin to version 3.9.0 or later immediately.
    • Go to Plugins > Installed Plugins, locate Post SMTP and update.
    • If automatic updates are possible in your environment, enable them for this plugin.
  2. If you cannot update immediately:
    • Consider disabling the plugin temporarily until the update is possible.
    • Restrict access to the plugin admin pages:
      • Use IP whitelisting at the web server level to limit admin area access.
      • Protect wp-admin with HTTP auth for an additional barrier.
    • Apply WAF/host rules to block requests that attempt to inject HTML/JS into the event_type parameter (examples below).
    • Monitor logs for suspicious POST requests to plugin endpoints.
  3. Scan the database for stored malicious payloads:
    • Search plugin-specific tables (events/logs) and common locations (wp_options, wp_posts, wp_postmeta) for indicators like , onerror=, javascript:, , or obfuscated variants.
    • Remove malicious rows or sanitize values if found.
  4. Rotate credentials and session tokens for administrative users:
    • Reset admin passwords.
    • Invalidate active sessions (use plugin or database method to expire logged-in sessions).
  5. Review files and scheduled tasks for backdoors:
    • Search for recently modified PHP files or unknown scheduled tasks (cron).
    • Check wp-content for unfamiliar files.
  6. If you detect compromise:
    • Isolate the site (take offline or restrict access) — preserve evidence.
    • Restore from a clean backup prior to the injection if one exists.
    • Conduct a full forensic analysis or engage a specialist.

How to detect if your site was targeted or compromised

Search for indicators of compromise (IoCs):

  • Database searches (replace wp_ prefix if different):
    • SELECT * FROM wp_options WHERE option_value LIKE ‘%
    • SELECT * FROM wp_posts WHERE post_content LIKE ‘%
    • SELECT * FROM wp_postmeta WHERE meta_value LIKE ‘%
    • Search for event_type stored values: 
      SELECT * FROM wp_options WHERE option_name LIKE '%post_smtp%' AND option_value LIKE '%
  • Web server logs: Look for suspicious POST requests to plugin endpoints with event_type payloads containing < or > or javascript:.
  • Admin activity: Check last login timestamps and admin user actions for unexpected changes.
  • File system: Look for newly created PHP files or files with modified timestamps matching suspicious activity.

If you find suspicious stored content, isolate it and clean or remove the entries. Preserve samples for forensic analysis before deleting.

Quick database cleanup examples

Warning: Always backup your database before performing deletions or updates.

  • Find entries with script tags: 
    SELECT option_id, option_name FROM wp_options WHERE option_value LIKE '%
  • Clear malicious value for a known option: 
    UPDATE wp_options SET option_value = '' WHERE option_name = 'post_smtp_some_event_option' AND option_value LIKE '%
  • Remove malicious event rows in a plugin events table (example table name): 
    DELETE FROM wp_post_smtp_events WHERE event_type LIKE '%

    (Replace table names with actual plugin table names; check plugin docs or inspect DB schema.)

If unsure, export the suspicious rows into a safe file for analysis before deleting.

Virtual patching and WAF rules (examples)

If you cannot immediately update the plugin, virtual patching via a WAF (web application firewall) or host-level rules can block exploit attempts. Below are sample rule ideas that you or your host/WAF admin can adapt. These are defensive patterns — tune them to avoid false positives.

  1. Generic rule to block script tags in event_type parameter

    Pseudo-regex (conceptual): Block requests where event_type parameter matches (?i)<.*script.*>|javascript:|onerror=|onload=|.

    Example ModSecurity (conceptual):

    SecRule ARGS:event_type "@rx (?i)(<\s*script|javascript:|onerror=|onload=|<\s*svg)" "id:900001,phase:2,deny,log,msg:'Blocked possible Post SMTP event_type XSS payload'"
  2. Block suspicious characters or complexity in event_type

    Deny if event_type includes characters <, > or tokens like javascript: when only simple tokens are expected.

  3. Restrict access to plugin admin pages

    Limit access to /wp-admin/admin.php?page=post-smtp* or similar endpoints by IP or HTTP auth at the host or reverse-proxy level.

  4. Strip script-like content

    If your WAF supports request-body transformations, strip