CVE-2026-48838

Vulnerability

Post SMTP plugin for WordPress versions up to and including 3.6.2 contains an unauthenticated cross-site scripting (XSS) vulnerability. The flaw exists where user-supplied input is not properly sanitized, allowing injection of arbitrary HTML and JavaScript. No authentication is required to trigger the vulnerable code path, but successful exploitation depends on a privileged user performing an action such as clicking a malicious link or visiting a crafted page [1].

Exploitation

An attacker can craft a malicious link or page containing the XSS payload and deliver it to a user with administrative or editor privileges. When the victim interacts with the crafted input (e.g., by clicking a link or submitting a form), the injected script executes in the context of the victim's session [1]. The vulnerability does not require prior authentication on the attacker's part.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, redirection to malicious sites, injection of advertisements, or other HTML payloads that execute when visitors load the affected page [1]. The impact is limited by the need for user interaction and the privileges of the victim.

Mitigation

The vulnerability is fixed in version 3.6.3 of the Post SMTP plugin. Users are advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workarounds are documented for those unable to update [1].