VYPR

Post SMTP

by WordPress

Source repositories

CVEs (23)

  • CVE-2023-6875CriJan 11, 2024
    risk 0.67cvss 9.8epss 0.90

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and…

  • CVE-2025-11833CriNov 1, 2025
    risk 0.58cvss 9.8epss 0.52

    The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construct function in all versions up to, and including, 3.6.0. This makes it…

  • CVE-2025-24000HigAug 7, 2025
    risk 0.57cvss 8.8epss 0.01

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Saad Iqbal Post SMTP post-smtp allows Authentication Bypass.This issue affects Post SMTP: from n/a through <= 3.2.0.

  • CVE-2024-52436HigNov 18, 2024
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal Post SMTP post-smtp allows Blind SQL Injection.This issue affects Post SMTP: from n/a through <= 2.9.9.

  • CVE-2026-48838HigJun 15, 2026
    risk 0.46cvss 7.1epss 0.00

    Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.

  • CVE-2024-5207HigMay 30, 2024
    risk 0.40cvss 7.2epss 0.01

    The POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications plugin for WordPress is vulnerable to time-based SQL Injection via the selected parameter in all versions up to, and including, 2.9.3 due to insufficient escaping on the…

  • CVE-2023-7027HigJan 3, 2024
    risk 0.40cvss 7.2epss 0.01

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization…

  • CVE-2023-3082HigJul 12, 2023
    risk 0.40cvss 7.2epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web…

  • CVE-2024-29128HigMar 19, 2024
    risk 0.39cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6.

  • CVE-2023-6629MedJan 3, 2024
    risk 0.33cvss 6.1epss 0.00

    The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization…

  • CVE-2025-12887MedDec 3, 2025
    risk 0.28cvss 5.4epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it…

  • CVE-2021-4422MedJul 12, 2023
    risk 0.28cvss 4.3epss 0.01

    The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger…

  • CVE-2026-2559MedMar 18, 2026
    risk 0.27cvss 5.3epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `handle_office365_oauth_redirect()` function in all versions up to, and including, 3.8.0. This is due to the function being hooked to `admin_init`…

  • CVE-2025-9219MedSep 3, 2025
    risk 0.21cvss 4.3epss 0.00

    The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the…

  • CVE-2025-22800MedJan 13, 2025
    risk 0.21cvss 4.3epss 0.00

    Missing Authorization vulnerability in Saad Iqbal Post SMTP post-smtp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through <= 2.9.11.

  • CVE-2024-13844Mar 8, 2025
    risk 0.00cvss epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to generic SQL Injection via the ‘columns’ parameter in all versions up to, and including, 3.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This…

  • CVE-2025-0521Feb 18, 2025
    risk 0.00cvss epss 0.00

    The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2023-3178Jan 16, 2024
    risk 0.00cvss epss 0.00

    The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack.

  • CVE-2023-6620Jan 15, 2024
    risk 0.00cvss epss 0.14

    The POST SMTP Mailer WordPress plugin before 2.8.7 does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.

  • CVE-2023-6621Jan 3, 2024
    risk 0.00cvss epss 0.00

    The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

Page 1 of 2