CVE-2026-3090 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App WordPress plugin developed by saadiqbal. This vulnerability affects all versions up to and including 3.8.0. The root cause is insufficient input sanitization and output escaping of the 'event_type' parameter, which is used during web page generation. When the Post SMTP Pro plugin and its Reporting and Tracking extension are enabled, an unauthenticated attacker can inject arbitrary JavaScript code into stored content. This malicious script executes whenever a user accesses the affected page, potentially allowing the attacker to steal cookies, hijack sessions, deface content, or perform other malicious actions within the victim's browser context. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS 3.1 base score is 7.2 (high), with vector AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and a scope change. The impact affects confidentiality and integrity but not availability. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with the Pro Reporting and Tracking extension enabled.

The impact of CVE-2026-3090 is considerable for organizations relying on the Post SMTP WordPress plugin with the Pro Reporting and Tracking extension. Successful exploitation allows attackers to execute arbitrary scripts in the context of site users, potentially leading to theft of sensitive information such as authentication cookies, personal data, or administrative credentials. This can result in account takeover, unauthorized access to backend systems, and further compromise of the WordPress environment. The vulnerability undermines the integrity of web content and can facilitate phishing or malware distribution campaigns. Since the attack requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk to organizations worldwide. The absence of availability impact means the service remains operational, potentially allowing persistent exploitation. Organizations with high-value targets, such as e-commerce, government, or financial websites using this plugin, face elevated risks of data breaches and reputational damage.

To mitigate CVE-2026-3090, organizations should immediately update the Post SMTP plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should consider disabling the Post SMTP Pro plugin's Reporting and Tracking extension, as the vulnerability is only exploitable when this extension is enabled. Implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the 'event_type' parameter can provide temporary protection. Additionally, review and sanitize all inputs related to email event tracking and logs. Conduct thorough security audits of WordPress plugins and limit plugin usage to trusted and actively maintained components. Employ Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly monitor logs for suspicious activity related to this plugin and educate users about the risks of XSS attacks. Finally, maintain up-to-date backups to enable recovery in case of compromise.